Researcher Mr.dox discovered a way to steal credentials and bypass 2FA by giving users remote access to your server via an HTML5 VNC client with a browser running in kiosk mode. Knowing that companies such as Google & LinkedIn now detect the use of reverse proxies commonly used in MiTM attacks, this method was no longer useful to attackers, so he came up with a clever work-around using the noVNC program. Excerpts:
Essentially, noVNC allows the web browser to act as a VNC client to remotely access a machine.
So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com). Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already setup Firefox in kiosk mode all the user will see is a web page, as expected.
The ways that this can be abused are endless:
Have JS injected into the browser
Have a HTTP proxy connected to the browser that’s logging everything
Close the VNC session when the user authenticates
Grab the session token from the browser (Right Click > Inspect > Application > Cookies) after the user disconnects
Have a keylogger running in the background