Modern phishing attack- bypass 2FA

We can steal token, Username and password by injecting ".yaml " code in the phishing page.

because now days, real authentication is done by token not password.

Example: if we inject google.yaml in Google phishing page, we can extract token and we need not to go through 2 Factor authentication.

please take a look at evilgnix2 and also google.yaml.



please also take a look at this youtube video:DemmSec


Things like this is why I never click links in an email hehe.

Also isn’t a privacy minded person going to wonder why it logged them in and they never got a text?

@imEH Great share bud. I enjoyed that.


Does this allow multiple sessions, for multiple victims using single link?

Glorious information! Keep it up!