So, I’ve had a bit of a boost in confidence with 2FA, but @DataSynchronized and I decided to test how much more secure we are now because of it. Turns out, not a whole lot, because one of the main attack vectors is still completely open.
Basically, the testing went as follows: I’ve enabled 2FA on my account, changed my password, and asked her to log in with that password. I received an email, and she wasn’t allowed in. Sweet.
Then I went into EditThisCookie and sent her the contents of my ROBLOSECURITY - which is one of the main attack vectors for account stealing, mind you - and after less than a minute she was logged in as me, completely bypassing 2FA and any other security measures in place on my account. Considering how easy it is for people to gain access to this cookie, I feel like we’re back to square one with account security.
The point is, if you can manage to get the cookie contents (as people have been doing for the longest time!), you can still get into someone’s account regardless of two factor authentication. There aren’t any measures in place to make sure that the cookie is bound to a computer or even a network. Why isn’t there a hash of the MAC or IP address in the cookie that prevents people from using it to get into accounts? What other measures can we take so that even if our cookie gets out, our accounts are still safe? We’re just as vulnerable as we’ve always been, even now that 2FA has finally been released.
Finally, a little disclaimer: I was fully aware of the risks of giving out my cookie and that I wouldn’t have given it to anyone else. I knew I could trust her and I’ve made sure my account is secure again after we tested this.