"Oh good, a new way to bypass MFA. It’s called Browser-in-the-Middle (BiTM).
Here’s an excerpt from my newsletter that explains how it works:
Step 1: The attacker sets up a server and installs a remote access tool like noVNC. noVNC is a web-based VNC (Virtual Network Computing) client. Unlike traditional VNC, which requires a separate client application, noVNC allows access to the server's desktop directly through a web browser. This is achieved using HTML5 canvas and WebSockets to provide a browser-based interface to the VNC protocol.
Step 2: The attacker runs a web browser on the server in kiosk mode. Kiosk mode is a software configuration that restricts the browser to full-screen operation, disabling navigation controls, address bars, and other operating system elements. This creates a focused interface, mimicking a dedicated application. Many operating systems support kiosk mode, often through command-line switches or configuration files (e.g., --kiosk in Chrome). The attacker then preloads a login page for the target service (e.g., Gmail, Microsoft 365) within this kiosk browser. This preloaded page is crucial for the attack, as it presents the victim with a seemingly legitimate interface.
Step 3: The attacker sends the victim a URL to connect to the noVNC server. This URL typically includes the server's IP address or domain name and the noVNC port (default is often 6080). When the victim clicks the link, their browser establishes a WebSocket connection to the attacker's server. The noVNC server then streams the contents of the browser running on the attacker's machine to the victim's browser. Crucially, the victim's browser is rendering the attacker's browser session. Thus, the victim sees the preloaded login page, believing it's hosted on the legitimate service's domain, when it's actually a remote display of the attacker's system.
The user logs into the application with their valid credentials and, if MFA is enabled, will enter their MFA token. This information is captured by the attacker's browser session.
Step 4: The attacker wins. The victim has effectively entered their credentials and MFA token into the attacker's browser. To illustrate the severity: this is analogous to the attacker preparing their environment, the victim remotely interacting with it as if it were their own, and unknowingly providing sensitive access credentials directly to the attacker. The attacker now has the necessary credentials and MFA token to potentially access the application on their own system, bypassing the intended security measures."
No comments:
Post a Comment