“noVNC” Allows MFA Bypass. Expert Reaction

By   ISBuzz Team
Writer , Information Security Buzz | Feb 24, 2022 03:10 am PST

Researcher Mr.dox discovered a way to steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client with a browser running in kiosk mode. Knowing that companies such as Google & LinkedIn now detect the use of reverse proxies commonly used in MiTM attacks, this method was no longer useful to attackers, so he came up with a clever work-around using the noVNC program. Excerpts:

Essentially, noVNC allows the web browser to act as a VNC client to remotely access a machine.

So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com). Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected.

The ways that this can be abused are endless:

Have JS injected into the browser

Have a HTTP proxy connected to the browser that’s logging everything

Close the VNC session when the user authenticates

Grab the session token from the browser (Right Click > Inspect > Application > Cookies) after the user disconnects

Have a keylogger running in the background

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Garret F. Grajek
InfoSec Expert
February 24, 2022 11:10 am

The key takeaway is the 2FA is not the cure all. There is no question that 2FA helps in securing against many hacks – especially the mass credential dumps and usage of these stolen credentials. But for targets under APT attack, CIs, Health Care, Energy, Financials, security admins must assume that their front walls will be breached and take a zero trust approach to the rest of the infrastructure. A vigilant monitoring of identities, their roles, their permissions and their changes is required to ensure the Principle of Least Privilege (PR.AC-6).

Last edited 1 year ago by Garret F. Grajek

Recent Posts

Would love your thoughts, please comment.x