“noVNC” Allows MFA Bypass. Expert Reaction

By   ISBuzz Team
Writer , Information Security Buzz | Feb 24, 2022 03:10 am PST

Researcher Mr.dox discovered a way to steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client with a browser running in kiosk mode. Knowing that companies such as Google & LinkedIn now detect the use of reverse proxies commonly used in MiTM attacks, this method was no longer useful to attackers, so he came up with a clever work-around using the noVNC program. Excerpts:

Essentially, noVNC allows the web browser to act as a VNC client to remotely access a machine.

So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com). Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected.

The ways that this can be abused are endless:

Have JS injected into the browser

Have a HTTP proxy connected to the browser that’s logging everything

Close the VNC session when the user authenticates

Grab the session token from the browser (Right Click > Inspect > Application > Cookies) after the user disconnects

Have a keylogger running in the background