A cybersecurity researcher has discovered a new and dangerous way to abuse online collaboration (opens in new tab) software to bypass multi-factor authentication (MFA) and compromise otherwise secure accounts.
The researcher, who goes by the name mr.dox, stumbled upon the idea when doing penetration testing for a customer.
Usually, MFA is a great way to protect an account from phishing because even if the victim ends up on a fake landing page and enters their login credentials, their account is still protected by the one-time passcode.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
It's not your browser
However, what if the victim was actually accessing a noVNC session, with Firefox (or any other browser, for that matter) in kiosk mode, instead of accessing the website in the browser on their own device?
That’s exactly what mr.dox succeeded in doing. NoVNC is, in the simplest possible terms, a remote desktop (opens in new tab) program, one that allows users to connect to a VNC (Virtual Network Computing) server directly from a browser, by simply clicking a link.
In theory, an attacker can craft a phishing email notifying the target of a new, unread message on their LinkedIn account. The email would carry a “Log in here” link which would bring up the noVNC session, and the browser in kiosk mode. That way, all the user will see is a web page, as they’d expect.
After logging in (and even submitting their MFA key), the attacker can use various tools to steal passwords and security keys. What’s even more dangerous is the fact that some services require MFA only once, and after authorizing the device, the password would suffice.
Also, VNC allows more than one person to monitor the same session, potentially allowing the attackers to disconnect the victim’s session after logging in, and then reconnect at a later date.
Speaking with BleepingComputer, the researcher said the attack is still theoretical as it hasn’t been observed in the wild, but he believes it’s only a matter of time before it does.
As for security measures - they’re always the same with phishing. Don’t download any email attachments, and don’t open any email links, unless absolutely certain of the authenticity of the sender and their good intentions.
- Check out our list of the best productivity tools (opens in new tab) available now