A security researcher has published a tool that can bypass various two-step verifications commonly used on platforms such as Gmail and Yahoo. That’s what IT Pro says. The tool was placed on GitHub by Polish researcher Piotr Duszy?ski.

The tool was placed along with a step-by-step plan that explains how it can be used in a phishing campaign to steal users’ login credentials and two-step verification codes. In one example, the tool is used to protect Google. If the tool is deployed, it places a server called Modlishka between the target and a secure platform like Gmail, which victims unconsciously connect to when they fill in their login details.

In a hypothetical campaign, a user would encounter a rogue e-mail with a link to the proxy server, which mimics Google’s login procedure. The user would enter his username and password, and then his two-step verification code. All this information is collected and stored on the proxy server. To ensure that the attack is successful, an attacker should follow the process in real time and enter the two-step verification code before it expires.


Because the attack is so simple, a criminal who uses Modlishka for a phishing campaign wouldn’t have to recreate a website, which happens a lot now. All you need is a phishing domain and a legitimate TLS certificate. “So the question is: is two-step verification broken?”, says Duszy?ski.

“Not at all, but with the right reverse proxy targeting your domain through an encrypted, browser-confident communication channel, someone can have a hard time knowing that something is very wrong. Add to that the various errors in browsers that allow URL spoofing, and the problem could be much bigger. Take into account the user’s lack of awareness, and it literally means that you are giving away valuable data.”

Duszy?ski has already successfully tested the tool on platforms like Gmail and Yahoo. He says that the tool is only intended for penetration testing and educational purposes. The only way to protect against this tool is to use physical security keys for two-step verification. Users do not have to enter a code manually.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.