Interesting, that evilginix looks cool. Another attack vector that application creators should be aware of and protect their services against. In general, I recommend using hardware (yubikey) or app based (TOTP) 2fa to protect against SIM-swap type attacks. And because web applications are so much more vulnerable, only store significant amounts in a hardware wallet.
Are you talking about blockchain.com wallets? You should file a bug report; they likely have a responsible disclosure policy/bug bounty :) Thanks for sharing.
@@chaintuts oh, but they don't think like that, they said there is feature that person with same ip address don't need 2fA bcz they are logged in same ip after 6 to 8 hours if they not logged again then they send 2FA
By using Reverse proxy technique or evilginix they can easily bypass 2FA
Interesting, that evilginix looks cool. Another attack vector that application creators should be aware of and protect their services against. In general, I recommend using hardware (yubikey) or app based (TOTP) 2fa to protect against SIM-swap type attacks. And because web applications are so much more vulnerable, only store significant amounts in a hardware wallet.
@@chaintuts right, Reverse proxy technique easily bypass 2FA of Blockchain i test on it and it work
Are you talking about blockchain.com wallets? You should file a bug report; they likely have a responsible disclosure policy/bug bounty :) Thanks for sharing.
@@chaintuts oh, but they don't think like that, they said there is feature that person with same ip address don't need 2fA bcz they are logged in same ip after 6 to 8 hours if they not logged again then they send 2FA
@@chaintuts so they not consider it bug