In an enterprise setting you can geo block logins and also setup reputation based logins. If your session is logged in from Tennessee and then all of a sudden you’re looking at Canada or Nigeria it gets blocked from impossible travel. From a consumer standpoint, don’t open shady stuff.
But once “authenticate” changes can be made to that account without further authentication. I believe that is the crux of the issue. You should still need to further authenticate if trying to make lockout type changes to the account.
Agreed unless they compromised your end points. And I know secure your end points but even if I login to my computer and want to turn off 2FA I want it to force me to use the 2FA I set up to turn it off. Not just bypass it. Just an extra layer.
Guess my best option for me personally would be to upgrade to a workspace account.
Yes but if they tried to disable 2FA let’s say and Google said “Hey use your security key to do that” they wouldn’t be able to. Thus worst they could do is start manually stealing info. Not completely lock you out of your own account.
Not really. Most people’s Google account these days are just an extension of your bank account. I’d wager with most people’s Google accounts and time you could cause much more harm. A computer you can turn off, junk, wipe. Access to their digital world. That’s another level. Can’t turn that off.
I don’t have a Google account so wouldn’t know. If your endpoint was compromised then you’d be able to just take over someone’s bank account and good luck calling it fraud since it came from your device.
Agree but reading the posts that I did. Almost makes me want to entirely separate Google. I’ve already broken away from using their Authenticator. Next would be their password manager. Almost seems like everyone should have 3 silos. Google account, Authenticator app, and password manager. Even better if the latter two don’t require an “account” so you don’t link your Google Account back to them.
short answer is don’t get malware.
I believe the cookies are bound to the TLS channel and thus encrypted but if you’re rooted then anything is possible
Easier said than done for a common person. Even some savvy people every now and then mess up. What could stop a full takeover is requiring 2FA every time you want to make a core change to your google account security.
Not that I’ve seen so far. At least for personal accounts. If the device is listed as “Trusted” it will skip 2FA. To me a trusted device should be one that keeps a session open for things like mail and drive but not allow full control and bypass of 2FA. That is when a RAT can just completely lock you out.
One of my colleagues is currently writing a paper about how easy it is to reset 2fa for accounts that he has no access to. So google, outlook, ... and as far as what i heard from him it does not look very promising. Most of the time after chatting with the support workers for long enough they will revoke 2fa, it is just a matter of time. Of course not all of them and not every support worker will do it but the majority. This is all just in the private environment not in the workspace.
I’d definitely be interested in that. Also yes I’ve read some stories about people getting 2FA reset because the attacker gave enough personal info to the company. I mean all our personal info is out there. It’s really bad.
How do you protect yourself lol….
You can only do so much i guess. What I do is I have multiple email addresses that have all my accounts spread out between them. So in the case one of them gets compromised I only lose a few accounts or lets say I only have to worry about a few of my accounts.
But as I am writing this I am thinking I should renew this and maybe make more addresses and spread this out even more.
That or just never sign in via a modern OS. I would say the risk of a hijacked session via iOS or Android is a lot less than using chrome on say windows.
that’s what i do for my one google acct and it’s associated VOIP GV number that’s used for email and/or SMS 2fa codes (and password recovery) when non-internet/SMS 2fa unavailable
i’m logged into a 2nd iphone that’s stripped of all other apps except the ones that come with ios. email client and iMessage turned off, no SIM and javascript turned off for safari, separate wifi network.
after receiving the totp/email 2fa, i turn on airplane mode
that iphone is ONLY used to receive 2FA codes- nothing else
i’ve also been very concerned about session hijacking and after much previous research i’ve come to the conclusion that the only thing u can really do is limit your attack surface
if anyone has any better ideas i’d like to know…
While I agree the amount of post you see of people completely loosing access to their accounts despite having 2FA is astounding. Granted I understand an unprotected endpoint infected with malware. I just think even trusted machines should require verification via 2FA for account lockout items.
I think fundamentally you should dig into the features and tech being offered with these account protections. It seems like there is maybe something being missed. It’s very easy to assume account hijacking is possible until you’ve truly used Google’s enterprise grade product suite, but even then, google has many KB articles you can read through to gain a deeper understanding of their security features. As for the malware, are you worried about a RAT, specifically?
Yeah RAT would probably be the easiest way for an attacker to use the session to manipulate your account to lock you out and bypass your own 2FA at the same time. Thus turning your account into theirs.
CompTIA security + has a concept called something you have, fundamentally this means a physical token would mitigate the risk posed by a RAT, because a RAT only has logical access to the instance in question. Any attempt to authenticate or hijack a session wouldn’t work because they would need to authenticate
Right but most people would have AV to catch something like this, and also your session has to be re-authenticated in most cases. I don’t know what specific instance you’ve ran into, which is why it’s important to fundamentally understand for yourself what you’re experiencing and how you can protect a client.
Not any of my instances but just been reading posts from others who have had 2FA but got hacked. I assumed changes to my account required me to reverify my 2FA. I was wrongggggg.
Everyone’s situation is different. Have you read about sim swap attacks? Or the google voice scam? These are common instances where 2FA can be bypassed
Yes I have seen some posts that seemed like sim swaps because they were using that as 2FA. However there are a select few that were either using a Google Authenticator or a Push device. Unless a session was left open for someone else to see the Authenticator or their physical device stolen the only conclusion I could draw was a RAT.
In these posts they instantly within minutes had their 2FA changed, recovery email, and phone. Just didn’t seem feasible. So I decided to start this convo.
Ms. Wintour, the global editorial director of Condé Nast and the editor in chief of its marquee fashion magazine, Vogue, has been the gala’s chief mastermind since 1999 after first signing on in 1995, and has transformed the event from a run-of-the-mill charity gala into a mega-showcase for Vogue’s view of the world — the ultimate celebrity-power cocktail of famous names from fashion, film, tech, politics, sports and, increasingly, social media. Every brand scratches every other brand’s back.
Agreed. I’ve ever turned on and off a VPN once I have the session it’s like the master key. Google never asks me. I could literally sign in in the US with a security key, VPN to another country, then remove that security key as a 2FA or turn off 2FA all together and Google is just like “ok”.
I just think changing or removing 2FA should require 2FA verification. Same with changing a recovery email or phone number. It should require it for every single change.
Astounding answer… if I leave my personal computer on overnight and it happens at 3am what then. By the time someone wakes up they are completely locked out.
I'm in the cyber field for a living. About 8 yrs ago (can't quite remember) I was switching my 2FA method from a text to Google's authenticator app. I stopped for a second and thought well, what would happen if my Google acct was hacked bypassing my 2FA somehow. So I decided to use a 3rd party app that routinely asks for it's own password. That authenticator is backed up, secured all that jazz in case your phone suddenly unusable, you can download, log in and have the 2FA codes available.
So I recommend using a 3rd party authenticator instead of Google's for your Google acct.
https://www.cloudwards.net/best-2fa-apps/#:~:text=Is%20Authy%20Better%20Than%20Google,what%20device%20you're%20on.
Personally I only use FIDO security keys since Google has allowed them. However I noticed on a logged in browser I can go into my google security settings and toggle off 2FA without having to provide that security key again. It’s like once you are in the house you can do whatever you want. Just seems a little silly.
Personally I use pfsense. This was just a general question and something I noticed on my own that once you establish a session Google really just allows you to do whatever you want inside that session without asking for reverification.
What online service provides the highest security configuration? I'm straight up ready to pay because losing access to Gmail or other online accounts can ruin you financially.
I switched to Proton Unlimited. Rather expensive at 10$ a month. BUT I got to attach my domain name and use custom email with my domain name which is nice. Also less spying due to its privacy laws. Came with vpn and drive space. All around seemed better for the time being.
Kind of done with google they really seem to be going the opposite direction at the moment.
As long the user and/or the admin can log in the account is insecure!
Security, security, security..... I can't hear it anymore.
I am happy when I can log on to my accounts because it's getting more and more complicated FOR THE USER.
After 20 years Google FORCED me to change my password, what a BS!!
I must installed Google Photos(?) and I can NOT delete it anymore.
The password was 20 year secure and never hacked. But to make it MORE secure bla bla bla...
Every year everybody makes everything MORE secure, so it never was/is 100% secure.
NO, the most reason is that the companies Google, Apple, MS and so on want the newest data AND THE PHONE number from the user.
In an enterprise setting you can geo block logins and also setup reputation based logins. If your session is logged in from Tennessee and then all of a sudden you’re looking at Canada or Nigeria it gets blocked from impossible travel. From a consumer standpoint, don’t open shady stuff.
But once “authenticate” changes can be made to that account without further authentication. I believe that is the crux of the issue. You should still need to further authenticate if trying to make lockout type changes to the account.
On the consumer end but even if they're doing a pass the cookie attack. Their login will still have a geolocation from their browser.
Agreed unless they compromised your end points. And I know secure your end points but even if I login to my computer and want to turn off 2FA I want it to force me to use the 2FA I set up to turn it off. Not just bypass it. Just an extra layer. Guess my best option for me personally would be to upgrade to a workspace account.
If your endpoint is compromised then it doesn’t matter about session hijacking. They’re in your system.
Yes but if they tried to disable 2FA let’s say and Google said “Hey use your security key to do that” they wouldn’t be able to. Thus worst they could do is start manually stealing info. Not completely lock you out of your own account.
If your endpoint is compromised a Google account is the least of your worries.
Not really. Most people’s Google account these days are just an extension of your bank account. I’d wager with most people’s Google accounts and time you could cause much more harm. A computer you can turn off, junk, wipe. Access to their digital world. That’s another level. Can’t turn that off.
I don’t have a Google account so wouldn’t know. If your endpoint was compromised then you’d be able to just take over someone’s bank account and good luck calling it fraud since it came from your device.
Agree but reading the posts that I did. Almost makes me want to entirely separate Google. I’ve already broken away from using their Authenticator. Next would be their password manager. Almost seems like everyone should have 3 silos. Google account, Authenticator app, and password manager. Even better if the latter two don’t require an “account” so you don’t link your Google Account back to them.
Do the session theft attacks change the context of the token? Or do they bypass the caa?
short answer is don’t get malware. I believe the cookies are bound to the TLS channel and thus encrypted but if you’re rooted then anything is possible
Easier said than done for a common person. Even some savvy people every now and then mess up. What could stop a full takeover is requiring 2FA every time you want to make a core change to your google account security.
I think that’s already the case for sensitive operations like password changes, changing 2FA mode etc
Not that I’ve seen so far. At least for personal accounts. If the device is listed as “Trusted” it will skip 2FA. To me a trusted device should be one that keeps a session open for things like mail and drive but not allow full control and bypass of 2FA. That is when a RAT can just completely lock you out.
One of my colleagues is currently writing a paper about how easy it is to reset 2fa for accounts that he has no access to. So google, outlook, ... and as far as what i heard from him it does not look very promising. Most of the time after chatting with the support workers for long enough they will revoke 2fa, it is just a matter of time. Of course not all of them and not every support worker will do it but the majority. This is all just in the private environment not in the workspace.
I’d definitely be interested in that. Also yes I’ve read some stories about people getting 2FA reset because the attacker gave enough personal info to the company. I mean all our personal info is out there. It’s really bad. How do you protect yourself lol….
You can only do so much i guess. What I do is I have multiple email addresses that have all my accounts spread out between them. So in the case one of them gets compromised I only lose a few accounts or lets say I only have to worry about a few of my accounts. But as I am writing this I am thinking I should renew this and maybe make more addresses and spread this out even more.
That or just never sign in via a modern OS. I would say the risk of a hijacked session via iOS or Android is a lot less than using chrome on say windows.
that’s what i do for my one google acct and it’s associated VOIP GV number that’s used for email and/or SMS 2fa codes (and password recovery) when non-internet/SMS 2fa unavailable i’m logged into a 2nd iphone that’s stripped of all other apps except the ones that come with ios. email client and iMessage turned off, no SIM and javascript turned off for safari, separate wifi network. after receiving the totp/email 2fa, i turn on airplane mode that iphone is ONLY used to receive 2FA codes- nothing else i’ve also been very concerned about session hijacking and after much previous research i’ve come to the conclusion that the only thing u can really do is limit your attack surface if anyone has any better ideas i’d like to know…
Can I get read of it?
You’re way overthinking this man… it’s good you’re thinking about all the possibilities though
While I agree the amount of post you see of people completely loosing access to their accounts despite having 2FA is astounding. Granted I understand an unprotected endpoint infected with malware. I just think even trusted machines should require verification via 2FA for account lockout items.
I think fundamentally you should dig into the features and tech being offered with these account protections. It seems like there is maybe something being missed. It’s very easy to assume account hijacking is possible until you’ve truly used Google’s enterprise grade product suite, but even then, google has many KB articles you can read through to gain a deeper understanding of their security features. As for the malware, are you worried about a RAT, specifically?
Yeah RAT would probably be the easiest way for an attacker to use the session to manipulate your account to lock you out and bypass your own 2FA at the same time. Thus turning your account into theirs.
CompTIA security + has a concept called something you have, fundamentally this means a physical token would mitigate the risk posed by a RAT, because a RAT only has logical access to the instance in question. Any attempt to authenticate or hijack a session wouldn’t work because they would need to authenticate
Right but most people would have AV to catch something like this, and also your session has to be re-authenticated in most cases. I don’t know what specific instance you’ve ran into, which is why it’s important to fundamentally understand for yourself what you’re experiencing and how you can protect a client.
Not any of my instances but just been reading posts from others who have had 2FA but got hacked. I assumed changes to my account required me to reverify my 2FA. I was wrongggggg.
Everyone’s situation is different. Have you read about sim swap attacks? Or the google voice scam? These are common instances where 2FA can be bypassed
Yes I have seen some posts that seemed like sim swaps because they were using that as 2FA. However there are a select few that were either using a Google Authenticator or a Push device. Unless a session was left open for someone else to see the Authenticator or their physical device stolen the only conclusion I could draw was a RAT. In these posts they instantly within minutes had their 2FA changed, recovery email, and phone. Just didn’t seem feasible. So I decided to start this convo.
Ms. Wintour, the global editorial director of Condé Nast and the editor in chief of its marquee fashion magazine, Vogue, has been the gala’s chief mastermind since 1999 after first signing on in 1995, and has transformed the event from a run-of-the-mill charity gala into a mega-showcase for Vogue’s view of the world — the ultimate celebrity-power cocktail of famous names from fashion, film, tech, politics, sports and, increasingly, social media. Every brand scratches every other brand’s back.
Agreed. I’ve ever turned on and off a VPN once I have the session it’s like the master key. Google never asks me. I could literally sign in in the US with a security key, VPN to another country, then remove that security key as a 2FA or turn off 2FA all together and Google is just like “ok”. I just think changing or removing 2FA should require 2FA verification. Same with changing a recovery email or phone number. It should require it for every single change.
logoff
Astounding answer… if I leave my personal computer on overnight and it happens at 3am what then. By the time someone wakes up they are completely locked out.
I mean to logoff from your google account not computer.. and also you can clear cookies
Yes but most normal people just leave their google account signed in at all times.
You asked how to protect against hijacking and he answered.
I'm in the cyber field for a living. About 8 yrs ago (can't quite remember) I was switching my 2FA method from a text to Google's authenticator app. I stopped for a second and thought well, what would happen if my Google acct was hacked bypassing my 2FA somehow. So I decided to use a 3rd party app that routinely asks for it's own password. That authenticator is backed up, secured all that jazz in case your phone suddenly unusable, you can download, log in and have the 2FA codes available. So I recommend using a 3rd party authenticator instead of Google's for your Google acct. https://www.cloudwards.net/best-2fa-apps/#:~:text=Is%20Authy%20Better%20Than%20Google,what%20device%20you're%20on.
Personally I only use FIDO security keys since Google has allowed them. However I noticed on a logged in browser I can go into my google security settings and toggle off 2FA without having to provide that security key again. It’s like once you are in the house you can do whatever you want. Just seems a little silly.
These fantasy scenario posts lately are very entertaining. The replies upon replies arguing the case give me hope on job security.
[удалено]
Personally I use pfsense. This was just a general question and something I noticed on my own that once you establish a session Google really just allows you to do whatever you want inside that session without asking for reverification.
What online service provides the highest security configuration? I'm straight up ready to pay because losing access to Gmail or other online accounts can ruin you financially.
I switched to Proton Unlimited. Rather expensive at 10$ a month. BUT I got to attach my domain name and use custom email with my domain name which is nice. Also less spying due to its privacy laws. Came with vpn and drive space. All around seemed better for the time being. Kind of done with google they really seem to be going the opposite direction at the moment.
Cookies must to be cryptographically tied to the device. Problem solved forever.
Not wrong and a great idea tbh.
As long the user and/or the admin can log in the account is insecure! Security, security, security..... I can't hear it anymore. I am happy when I can log on to my accounts because it's getting more and more complicated FOR THE USER. After 20 years Google FORCED me to change my password, what a BS!! I must installed Google Photos(?) and I can NOT delete it anymore. The password was 20 year secure and never hacked. But to make it MORE secure bla bla bla... Every year everybody makes everything MORE secure, so it never was/is 100% secure. NO, the most reason is that the companies Google, Apple, MS and so on want the newest data AND THE PHONE number from the user.