Thursday , June 24 2021

Two-factor identification may be directed against the user. A surprising discovery

About the author

Piotr Urbanyak

Many people live in the belief that using 2factor authentication (2FA) is 100%. protected in case of password expiration. What if someone tried to use 2FA as a component of the attack? Cyber ​​security expert Luke Berner has proven that a two-step check can be a two-way weapon.

Berner found that 2FA for very well-known sites is partly independent of the master password. Figuratively speaking, once you reach the second stage of the verification, just log in to the username that will work even if the 2-step verification is turned off and the password is changed.

Initially, the researcher found this gap in Gmail. He gave the account password, and after having accessed the second login step, he switched it to another browser. However, the pre-generated access code works and is allowed to enter the site.

He writes to Google about the error, but the company has found no reason to worry at first. It was decided that the 2FA session would eventually end in 20 minutes. Then Berner found something else. Well, he decided that the session is extended every time the user uses the feature Try it differently, You can set the macro and expand it without restrictions.

This opens the field for two potential attacks. One is very obvious, as the attacker gets an unlimited time to get (steal?) The Authorization Code. The second, albeit somewhat paradoxical, is based on the direct targeting of the 2FA to the victim.

Upon expiration of an account password without a two-factor identification, the attacker enters the system and activates 2FA to obtain a one-time access code. Then it turns off security. The unconscious victim changes his password, thinking that the danger is allowed. At the same time cracking gets access to the generated code without knowing the updated password.

It only convinced Mountain View's company to intervene. As reported in a message to Berner, the gap is eliminated. Good luck? Yes, but not for all …

Microsoft and Instagram have the same problem, but they think it's purely theoretical

Surprisingly, the 2FA systems used by Microsoft and Instagram proved to be unrelated. (Facebook – no, although it has the same owners as Instagram). But companies have not shown such a benefit to the researcher as Google. There was no mistake in Redmond, despite the evidence, and a team from a popular photo sharing platform commented on this "The attack is purely theoretical and should not happen often",

Well, no attack is happening often, but every open door is an invitation for thieves. And here the issue is even more serious that it is a mechanism that in theory is to protect us, in practice – as it is, everyone sees. The conclusion, however, is that 2FA is absolutely important, even because it does not include it about us The striker. Sounds like a good motivation, is not it?

Source link