Technology, Top News

2FA bypassing tool Modlishka is on GitHub for all to use

The tool is supposed to be used for penetration testing….hmmm….

GITHUB CONTAINS ALL SORTS OF CODE, but some snippets are more eyebrow-raising than others; case in point, the addition of the Modlishka hacking tool that can bypass two-factor authentication.

The tool was created by Polish cyber security researcher Piotr Duszyński and popped on GitHub for all to use at the start of the year.

Designed for penetration testing, Modlishka sits between the user and a target website or online service, such as Gmail, and has victims connect to a server hosting it using a phishing domain.

From there the victim is served legitimate content from the website they are attempting to access, but all their traffic passed through the Modlishka server and gets recorded.

If passwords are entered into say an online email client, Modlishka logs them and also uses a technique called ‘reverse proxy’ to prompt users for 2FA tokens, if their accounts are setup with the extra layer of security authentication.

Hackers would need to be using Modlishka at the time to spot and collect the 2FA tokens, but if they did get hold f them they would have all they needed to log in to a victim’s online accounts and services.

Thanks to Modlishka serving up genuine website content, it doesn’t require hackers to create spoof sites or templates of landing pages in order to swipe data. This means that less time and effort is needed to set up such an attack, which would make it look like Modlishka is as much a tool for making phishing attacks easier for hackers as it is for penetration testing.

A bit of configuration and getting hold of valid TLS certificates is needed to bypass alerts that Modlishka isn’t using HTTPS connections, but after that the tool would appear to be fairly straightforward to use.

We’d question why such a tool was released into the open community of GitHub given it could open up the road for inexperienced hackers to set up phishing attacks.

But Duszyński defended the decision to ZDNet: “We have to face the fact that without a working proof of concept, that really proves the point, the risk is treated as theoretical, and no real measures are taken to address it properly.”

“This status quo, and lack of awareness about the risk, is a perfect situation for malicious actors that will happily exploit it,” he added.

We guess he has a point, but we’ll keep our fingers crossed that hackers don’t go hell for leather in using his tool for nefarious deeds. µ

Source : Inquirer

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend