Login

fresh_meat · 05-31-2025, 07:50 PM

I see sites like Amazon and Microsoft who all offer 2FA, and they have settings to both "keep me logged in" and "auto-identify account" which essentially bypasses 2FA. Then it got me thinking, those settings, they're stored in cookies. I wonder how easily a bad actor can fake those credentials and just log-in anywhere to any account with fake cookies? From what I can tell, the server end does not sanity check for if you logged in first... it only sees if the cookies says to bypass the login security. Am I wrong here?

FireIceTalon · (This post was last modified: 06-02-2025, 05:33 PM by FireIceTalon.)

I’m certainly no expert on the matter, but to my knowledge, most systems only do the 2Fa at the initial log-in. So it’s probably best to logout and delete your cookies/cache after each session if security is a top priority for you. I mean, it’s a top priority for everyone in that no one wants to be hacked, but if you are paranoid it’s best to do the above.

There are some exceptions during an existing session though, such as if you try to login from a different device or a different location you may be asked to provide 2Fa even if you never logged out.

***Bolty*** · 06-03-2025, 01:52 AM

I always thought most 2FA systems were more than just cookies, such as IP address logging.

But this reminds me, if you're a user of this website, make sure the password for your account is unique. Your passwords are encrypted in this forum software's database, but it's not like there's some deep security in this place that major websites employ. Last year a scripter was able to exploit a vulnerability to use the Lounge's host to send lots of spam emails for a few days. No database hack, but still.

fresh_meat · 06-03-2025, 06:11 AM

(05-31-2025, 07:50 PM)fresh_meat Wrote: I see sites like Amazon and Microsoft who all offer 2FA, and they have settings to both "keep me logged in" and "auto-identify account" which essentially bypasses 2FA. Then it got me thinking, those settings, they're stored in cookies. I wonder how easily a bad actor can fake those credentials and just log-in anywhere to any account with fake cookies? From what I can tell, the server end does not sanity check for if you logged in first... it only sees if the cookies says to bypass the login security. Am I wrong here?

Correct, however if a bad-actor spoofed a cookie that said you were already logged in... Then it wouldn't matter if you cleared your cookie cashed or not because on the host computer, it just sees your account ping and say: here are my cookies and they want me to bypass 2FA and Keep me Logged In... because I'm already logged in! Unless I am wrong, I think you would be automatically logged in. And if it were IP Logging as Bolty posits, again, that just for the initial 2FA but if the "initial sanity check" were completely bypassed because the cookies said you were already logged in (even if you weren't and keep me logged in), then it seems to me they can steal your accounts very easily.

fresh_meat · 06-03-2025, 06:15 AM

(06-03-2025, 01:52 AM)Bolty Wrote: I always thought most 2FA systems were more than just cookies, such as IP address logging.

But this reminds me, if you're a user of this website, make sure the password for your account is unique. Your passwords are encrypted in this forum software's database, but it's not like there's some deep security in this place that major websites employ. Last year a scripter was able to exploit a vulnerability to use the Lounge's host to send lots of spam emails for a few days. No database hack, but still.

Sage advice Bolty! And lock your credit scores.

https://www.bitdefender.com/en-us/blog/h...als-online

They believe this sophisticated software just listens to the net all day long, trawling for information and most likely thanks to AI, gathering full info about everyone they lock onto. Docs like these most likely go to the higher bidder on the Dark Web.

Login
Username:
Password:	Lost Password?
	Remember me