When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.
In an email, a Certfa representative said company researchers confirmed that the technique successfully breached accounts protected by SMS-based 2fa. The researchers were unable to confirm the technique succeeded against accounts protected by 2fa that transmitted one-time passwords in apps such as Google Authenticator or a compatible app from Duo Security.
Once a target enters a password on what she believes is the authentic Gmail or Yahoo Mail site, she will either open the 2fa app as instructed in the fake redirection or get a push notification from the phone app.
The notable exception is that this attack is impossible, at least in theory, against 2fa that uses an industry-standard security key.