Posted by Stu Sjouwerman May 8th!
"OK, here is something really scary.
KnowBe4’s Chief Hacking Officer Kevin Mitnick now and then calls me with some chilling news. This time, a white hat hacker friend of his developed a tool to bypass 2-factor authentication, and it can be weaponized for any site! My first thought when I heard about this was: “Holy cr@p!”
I asked him: “Can you show it to me?”, and Kevin just sent me a video demo, you can see it below."
This particular attack is based on proxying the user through the attacker’s system with a credentials phish that uses a typo-squatting domain. Once the user falls for this social engineering tactic and enters their credentials, their authenticated session cookie gets intercepted and it’s trivial to hack into the target’s account.