Google template - Victim is not being authenticated

[riflon]

Hello @kgretzky, first of all I want to thank you, this tool is really awesome very useful for pentest engagements. I was testing the google template, and the cookies and credentials are stolen and work like a charm. However, I noticed that the victim is not being logged in after entering the credentials. I mean, Is being redirected to myaccounts page but is not authenticated.

I tried to troubleshoot and all the cookies seems to be OK. However the last request after authentication is performed (after sending credentials and before being redirected to myaccount.google.com), is not sending the corresponding cookies. I'm suspecting that maybe that's the reason why the victim is not being authenticated.

Is it possible that google have changed something and that's why is not working? Could you give a hand with this?

Thanks man, I would really appreciate your help.

[kgretzky]

Hi riflon,

Thanks for feedback. This is unfortunately intended behavior. When you proxy the victim through your own fake domain, you can only set the browser in the cookies for that specific domain (browser security policies do not allow websites to set cookies for other domains than itself like .google.com). This is why, once you successfully login, you will not be logged in on real google website. It is kind of possible to make evilginx proxy the whole Google service website (gmail, drive etc.) through your fake domain, but I cannot imagine how much work it would require and it would have to be constantly updated.