Modlishka – Exploiting Two-Factor Authentication
(Eating Your 2FA Cookies and Stealing Your Account Contents)
Two-factor authentication (2FA) is a commonly used means of securing access to website accounts through easily understood login procedures. Once the user provides the required information, whether a password or site generated code, a session cookie is generated and a secure session is established between the user and the site.
But what if an unauthorized person eavesdrops and collects the 2FA information or session cookie? They could then use that information to gain access to the account by pretending to be the authorized user, and that is precisely the function of Modlishka, a pentesting tool created by a Polish researcher/penetration tester.
As described in an article published on January 2, 20191, Modlishka (an anglicization of the Polish word for ‘mantis’) was ostensibly developed to allow penetration team members to better test system defenses, but the tool is now available on the internet for anyone to use to automate their phishing attacks. Access to this tool has the potential to make the widely used 2FA process ineffective.
Described in broad strokes, Modlishka sits between the user and the site that the user wants to access. It pretends to act as a reverse proxy for the site the user is trying to reach, meaning the server appears to be working on behalf of the legitimate site and serving some legitimate function for that site (such as directing traffic).
When the legitimate site prompts the user to use 2FA to log in, or generates a 2FA token for the legitimate user, Modlishka is sitting between the user and the site, collecting the token, and enabling an unauthorized user to establish their own session which appears to be 2FA secured.
So, how can you keep Modlishka from sitting in the middle of the authentication process and stealing users’ credentials?
First, the tool does not work against Universal 2nd Factor (U2F) for multi-factor authentication (hardware tokens). By implementing U2F on your site, you can protect visitors’ login credentials from being stolen.
Second, phishing awareness and safeguards remain critically important. Users should not click on emailed links and should make sure that they have correctly addressed the site they’re trying to reach. Misaddressed site requests, routing the user to a malevolent proxy server, can end in Modlishka collecting the 2FA goodies before passing the user on to the legitimate website. The user may have had their credentials stolen and be completely unaware that a malicious actor is sitting in the account with access to all its sensitive contents.
While pentesting tools like Modlishka may purportedly be developed with the intent of helping organizations improve their security, in the wrong hands they can prove disastrous to unsuspecting users and websites. It is more important than ever before to have a heightened awareness of your digital environment.
Click the ‘Subscribe for More Updates’ button at the top-right of this page to receive alerts when new Digital Insights posts go up.
1. Lewis Brisbois does not wish to aid in the further propagation this tool and therefore will not include a link to the referenced paper.