Bypassing 2 Factor Authentication With Cookies!

If you have two-factor authentication (2FA) enabled on your account, you can’t be compromised, right?

Well, not exactly. As technology advances, so do the attackers. Phishing attacks have become more sophisticated and attackers are finding ways to bypass 2FA. The reason why is because of the delicious cookies stored in your browser. Session cookies are a way to show the server that the user has already authenticated. This includes passing the 2FA challenge. Your browser can use these cookie until it’s passed its sell-by date (Sorry). Once the cookie has expired, you will be asked to re-authenticate.

It depends on the application, but some may have stronger restrictions than others.

These include:

  • A single use cookie.
  • Restricted by IP, device or some sort of fingerprint.
  • Linked to another element which validates the cookie (Anti-Spoofing).

This isn’t the case for all though and this is what attackers are exploiting. Services like Outlook, Gmail and social networking platforms all allow the cookie to be reused. The attacker just needs a way of extracting them.

To show you how it works, I’m going to be using a browser extension called EditThisCookie: http://www.editthiscookie.com/

You don’t need a fancy extension to be able to see and view your cookies. If you hit F12 in your browser (developer), you can see the cookies being used under Application > Storage.

The problem is, you don’t have an easy way to extract them. Sure, you can copy and paste but this is long winded and is prone to errors. This is where Cookie Editors make life easier. With EditThisCooke, we can simply export and import cookies into different browsers.

Using Outlook.com as an example. We first login to our account.

Once our password is entered, we approve the MFA prompt.

And now we are in. Below you can see that I’m using two browsers. On the left, I have logged into Outlook using Chrome. On the right, you can see that I’m not logged into Outlook and are using Firefox. Remember that cookies are browser specific. 

With EditThisCookie, I can export my Outlook cookie from Chrome…

…and import them into Firefox. As you can see, I’m still not logged in.

Once imported, I hit the Outlook site again and I’m logged in. This is because Firefox used my imported cookie to prove that I have already authenticated.

Once imported, I hit the Outlook site again and I’m logged in. This is because Firefox used my imported cookie to show that I have already authenticated.

This was done on the same device however, this also works if I used another. If I exported the cookie on device 1 and imported them into device 2, I would get the same result (Application dependent).

This is basically what attackers are now exploiting. You may be thinking, how are they going to get access to my device though?

The answer is they are not trying to. Although I’m sure this could be achieved, it’s pretty low risk. An attacker could extract the cookie using some sort of script or Rubber Ducky but it’s unlikely. Instead, they are wanting you to come to them.

This is where EvilGinx2 comes into play: https://github.com/kgretzky/evilginx2

EvilGinx2 is a proxy/phishing tool which can extract your session cookie. It does this by creating a Phishing site and which tricks you into entering your credentials, including the 2FA challenge.

https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/

EvilGinx2 is a proxy/phishing tool which can extract your session cookie. It does this by creating a Phishing site and which tricks you into entering your credentials, including the 2FA challenge.

Once the user has been fooled, Evilginx saves the token, allowing the attacker to extract and import it into their browser of choice. This whole process defeats the 2FA prompts as the server read the cookie and assume the user has already been authenticated. As I mentioned above, some application has restriction on cookies. The benefit of Evilginx is that the source of the authentication will be the Evilginx server. Meaning, the attack could use a browser on the server itself and bypass any IP and device restrictions. Remember, the session cookie would record the source as the Evilginx server and not your client.

The develop created the video below to explain how it works.

So, what can you do to protect against this type of attack?


Well, the one flaw with this attack is that the DNS record will have to be convincing in order to trick todays users. The attacker will look to host Evilginx on a web server that is accessible to all. This will require the attacker to setup an external IP and DNS record. Because of this, they won’t be able to use any of Microsofts official domains. This goes for Google and any other site which has a Phishlet. Attackers will have to use techniques described in my past post: https://ctrlaltdel.blog/2019/07/11/how-the-phishers-phish/

https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/

The simplest way to fight this is by education. Now that attackers are using HTTPS to seem genuine, we will really need to be checking the URL before entering our credentials.

Hope this article helpful for you. Thank You


If You Appreciate What We Do Here On Hackonology, You Should Consider:

Hackonology is the fastest growing and most trusted community site where you can find lots of courses, articles about Technology/Hacking/Cracking. Millions of people visit Hackonology! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider it with 2-3 coffee as a token of appreciation.


Let's be a part of Hackonology Community! Join our Hacking Team

We Are Indian We Are Great

24 thoughts on “Bypassing 2 Factor Authentication With Cookies!”

  1. Greetings from Ohio! I’m bored to tears at work so I decided to check out your website
    on my iphone during lunch break. I love the info you present here
    and can’t wait to take a look when I get home. I’m surprised at how quick your blog loaded on my mobile ..
    I’m not even using WIFI, just 3G .. Anyhow, awesome blog!
    I’ve been browsing online more than 2 hours today, yet I never found any interesting article like yours.
    It is pretty worth enough for me. In my opinion,
    if all website owners and bloggers made good content as you did, the internet
    will be much more useful than ever before. Hello just wanted to
    give you a quick heads up. The words in your content seem to be running off the screen in Internet explorer.
    I’m not sure if this is a formatting issue or something to
    do with browser compatibility but I figured I’d post to let you know.
    The layout look great though! Hope you get the issue fixed soon. Many thanks http://porsche.com

  2. I absolutely love your website.. Pleasant colors & theme.
    Did you make this amazing site yourself? Please reply back as I’m
    trying to create my very own website and would like to learn where you got this from or
    exactly what the theme is named. Appreciate it!

  3. Thank you a lot for sharing this with all of us you really understand what you’re talking about!
    Bookmarked. Kindly also talk over with my website =).
    We will have a link change agreement between us

  4. I have been browsing online more than three
    hours today, yet I never found any interesting article like yours.
    It’s pretty worth enough for me. In my view, if all website owners and bloggers made
    good content as you did, the web will be a lot more useful
    than ever before.

  5. I blog quite often and I genuinely appreciate your content.
    The article has really peaked my interest. I’m going
    to book mark your site and keep checking for new information about once a week.
    I opted in for your RSS feed as well.

  6. Pingback: Google

  7. I know this if off topic but I’m looking into starting my own weblog and was curious what all is required to get setup?

    I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web savvy so I’m not 100% sure.
    Any tips or advice would be greatly appreciated. Kudos

  8. Wonderful goods from you, man. I’ve understand your stuff previous to and you are just
    extremely magnificent. I actually like what you’ve acquired here, really like what you are stating and the way in which you say it.
    You make it entertaining and you still care for
    to keep it sensible. I can not wait to read much more from you.
    This is really a great web site.

  9. Pingback: Google

  10. I loved as much as you will receive carried out right here.
    The sketch is attractive, your authored material stylish.

    nonetheless, you command get bought an impatience over that you wish be delivering
    the following. unwell unquestionably come more formerly again since exactly the same nearly very often inside
    case you shield this hike.

  11. Right here is the right site for anyone who wishes to find out about this topic.
    You know so much its almost tough to argue with you (not that I actually will need to…HaHa).
    You certainly put a new spin on a subject that’s been written about for many
    years. Excellent stuff, just wonderful!

Leave a Comment

Your email address will not be published. Required fields are marked *

Login