Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
The Windows Hello for Business authentication system (WHfB), which protects employees and organizations from phishing, was vulnerable to downgrade attacks. Using this vector, attackers can get into devices without using biometric authentication.
WHfB has been available since 2016 for commercial and enterprise versions of Windows 10. Designed for secure login and protection against phishing attacks.
WHfB uses cryptographic keys embedded in the Trusted Platform Module (TPM), as well as biometrics or PIN-code input as an alternative.
It turned out that all these security mechanisms can be circumvented by modifying the parameters in the authentication request. This was reported by researcher Yehuda Smirnov from Accenture. The specialist promises to demonstrate the attack vector at the Black Hat USA 2024 conference, which starts on August 8 in Las Vegas.
As Smirnov explained, an attacker can intercept and modify POST requests to Microsoft's authentication services in such a way that WHfB switches to less secure login methods — one-time codes or passwords.
In an interview with Dark Reading, Smirnov clarified that he managed to downgrade the authentication system using Evilginx — an open source framework that is used for adversary-in-the-middle attacks (AitM — "attacker in the middle").
Evilginx is usually involved in phishing attacks targeting credentials and session cookies. Using this tool, Smirnov intercepted a POST request to "/common/GetCredentialType", changing either the User-Agent or the "isFidoSupported" parameter.
"I modified the Evilginx code and created a phishlet to facilitate attack automation," the researcher explains.
WHfB has been available since 2016 for commercial and enterprise versions of Windows 10. Designed for secure login and protection against phishing attacks.
WHfB uses cryptographic keys embedded in the Trusted Platform Module (TPM), as well as biometrics or PIN-code input as an alternative.
It turned out that all these security mechanisms can be circumvented by modifying the parameters in the authentication request. This was reported by researcher Yehuda Smirnov from Accenture. The specialist promises to demonstrate the attack vector at the Black Hat USA 2024 conference, which starts on August 8 in Las Vegas.
As Smirnov explained, an attacker can intercept and modify POST requests to Microsoft's authentication services in such a way that WHfB switches to less secure login methods — one-time codes or passwords.
In an interview with Dark Reading, Smirnov clarified that he managed to downgrade the authentication system using Evilginx — an open source framework that is used for adversary-in-the-middle attacks (AitM — "attacker in the middle").
Evilginx is usually involved in phishing attacks targeting credentials and session cookies. Using this tool, Smirnov intercepted a POST request to "/common/GetCredentialType", changing either the User-Agent or the "isFidoSupported" parameter.
"I modified the Evilginx code and created a phishlet to facilitate attack automation," the researcher explains.
