So MFA ≠ Invincibility After All: Explaining Pass-The-Cookie Attacks *for noobs like me*

Cryptocurrency News and Public Mining Pools

So MFA ≠ Invincibility After All: Explaining Pass-The-Cookie Attacks *for noobs like me*

Edit: Thank you all for the active and wonderful responses. I am wowed. One of you has also added another way of minimizing the risk. Check it out down there
TLDR: Read the title again and then say this after me… "Cookie, bad."
One of today's hottest crypto stories is that of Vitalik's twitter hack which led to a huge NFT claim scam being peddled via his account. A fellow redditor suggested that the crackers accessed his (Vit's) account by hijacking his browser session cookies and thus bypassing 2FA. https://www.reddit.com/r/CryptoCurrency/comments/16ek8e9/vitaliks_twitter_is_hacked_do_not_interact_with/ So I was like, "Wait… what? Bypassing 2FA? Is that even possible?" A quick research later turned up something I should have known of looong ago. Anyway this is it, for those who don't know. Have a nice read.
Although The Multi-Factor Authentication process reduces the attack surface by preventing criminals with stolen user credentials from logging on, it is possible to steal cookies from current or recent web sessions to bypass multi-factor authentication (MFA).

HOW?

Browser cookies enable web applications to store user authentication information, so a user can stay signed in instead of having to supply their username and password every time they navigate to a new page on a website. Convenient? Yeah! Safe? Um… not very. Attackers can exploit this functionality to steal credentials and skip the login challenge.
Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates, blah blah blah.
If MFA is enabled, the user has to provide additional proof of their identity, such as by accepting a push notification on their mobile device. Once the user has passed MFA, a browser cookie is created and stored for your web session. Therefore, the vulnerability is obvious: If somebody were able to extract the right browser cookies, they could authenticate as another user in a totally separate web browser session on another system. In short, they could use the cookie to bypass authentication via MFA. Ta daa!
The attack can be scripted since attackers know the exact name and location of the SQLite database files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. It’s not uncommon to find such scripts along with other modules in info-stealing and other malware. To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.

Should I Panic? (Spoiler: Yes! /s)

Pass-the-Cookie attacks are a serious threat for a few reasons.
– A Pass-the-Cookie attack does not require administrative rights; all users have access to read and decrypt their own browser cookies, regardless of whether they have privileged rights on their workstations.
– The attacker doesn’t have to know the compromised account’s user ID or password, so this attack is possible with minimal information.
– It is possible to complete Pass-the Cookie attacks after the browser had been closed.
The following article from a certain Jeff Warren provides good example of how the attack works https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack/
Cybercriminals can even use the cookies to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools.

What should/shouldn't we do?

There are a few ways of minimizing the risk
– Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password.
– It’s recommended that users uncheck the setting called “remember passwords,” or "remember me" and users should probably not allow persistent sessions as well.
– You can also delete all cookies automatically when you close the browser.
– Implement authentication monitoring and threat detection products.
– Use a degen hardened web browser.
– Use a (preferrably offline) password manager (any KeepassDX fans out there?) for the constant logging in. DYOR on this one.
– Be careful of the links you click
– (Supplied by u/nutyourself ) just log out after using high risk sites (bank, credit exchanges, twitter (if you’re famous enough), etc..)
To round it all up, here's a quote from https://www.computerweekly.com/news/252495081/Should-I-be-worried-about-MFA-bypassing-pass-the-cookie-attacks

Most people deploying and using MFA are inclined to think of it as like a magical talisman to stop them being hacked, which is simply untrue. Thinking that MFA magically makes you unhackable is even more dangerous than not using MFA. Unfortunately, most MFA implementers and certainly most users don’t understand this. For example, I can send anyone a phishing email and get around their MFA solution and if you don’t know that, you might not pay as much attention to what URL you’re clicking on.

Y'all capisce? Good.
One more reference https://www.esecurityplanet.com/threats/hackers-steal-session-cookies-to-bypass-mfa/

submitted by /u/No-Elephant-Dies
[link] [comments]