Shubham Shaw reveals in a blog post, that he has been able to bypass 2-Factor-Authentication on Facebook, Yahoo, Linkedin and Google yes Google. Shaw is a based in Sydney Australia and this is where he conducted his research. But even so,this exploit/hack could be valid just about anywhere, it just hasn’t been tested anywhere else (that we know of). 2-Factor-Authentication has always been a solid security measure to protect your accounts and it is used widely, especially amongst more tech savvy individuals. But now it seems there is indeed a way around it and it is no longer the safety net it once was. Shaw notified Facebook, Yahoo, Linkedin and Google of the issue and you can find all of his documentation in his blog post. Below you’ll find just an excerpt from his post, I recommend reading his entire post to get the scope of his research, the link to the rest of it is at the end.
Analysis of 2FA, Concept and Flow of Exploit
Analysis of 2FA
When looking at 2-Factor-Authentication as a whole, there are only so many things that one can see in the attack scope. In my first analysis of 2FA, I always wondered if it were possible to do the following attacks:
- Bruteforce the 2FA pin (Some services such as Apple, only have a 4 digit pin with hardly any rate limiting).
- Find any exploitation vectors within the flow that could let me do a complete bypass of 2FA.
- Discover a flaw in the generation of pins.
- Somehow steal session tokens, after 2FA occurs, so that the attacker can also log into the account without going through 2FA.
The above techniques are all valid vectors of attack, but they’re usually unlikely to be present, as they are so orthodox and already have been defended against.
After I got past this stage of preliminary examination, I enumerated further and realised that there was a definite weak point in all 2FA services which allowed for the complete bypass of 2FA for an attacker. That weak point, is voicemail.
Some readers might see how voicemail is problematic, as they may be aware of the scandal in 2009 in the UK which lead to the hacking of celebrities voicemail accounts. Their method to gain access to voicemail were fairly worrying, being split up into the following: Default voicemail PINs, No voicemail pin set and the method of calling your own phone – all documented by Sophos Security.
In another, very similar incident, the CEO of Cloudflare was also a target of 2FA bypassing via a Voicemail related incident, however in this case, the attack was much more sophisticated and required the attackers to socially engineer AT&T staff to redirect the voicemail of Matthew Prince to a fraudulent voicemail box.
The method I have used to gain access to voicemail accounts (only those I have been permitted to access for testing purposes) has been documented for a very long time and isn’t so complex/difficult to execute.
Even though the exploitation method of gaining access to voicemail boxes has had an increasingly high level of attention, it has not been patched in a large majority of networks in a few countries.
Concept and Flow of Exploit
As an attacker, you need four things to break into your victims 2FA protected account. They include:
- The victim’s username/email & password.
- The victims’s attached mobile number to the 2FA service.
- A mobile number spoofing service
- The mobile networks voicemail number for remote access.
Realistically, as a sophisticated attacker, the above four requirements are not difficult to obtain. Getting the account password can be done through any of the traditional methods, and obtaining the mobile number attached to it, is not so difficult either nowadays.
Mobile number spoofing services, such as Spoofcard only cost $10 for multiple uses and obtaining the mobile networks voicemail endpoint, is also usually only a few google searches away. Additionally, if one wished to avoid signing up for Spoofcard, they could hire a VoIP service which allows Caller ID spoofing, for the very same effect.
The first stage of the exploit:
- The attacker logs into the victims account on a 2FA enabled web application
- The attacker engages a call with the victims phone number (only 20-30 seconds needed)
- Immediately after this, the attacker chooses the alternative 2FA option to send the 2FA code via Phone Call
- As the victim is engaged in the call by the attacker, the 2FA phone calling service will send the 2FA code to the victims voicemail, immediately.
This is the first flaw. I might be opinionated on this, and people may disagree, but there is no considerable reasonthat I can think of for why 2-Factor-Authentication codes should go to voicemail. For the very small amount of usability it adds, there is also a considerable amount of risk when doing so. Based on the voicemail hacks done over the past few years, by sending the pins to voicemail – it is likely that you are able to bypass 2FA regardless of the second flaw that I am about to tell you.
The 2FA pin can also be sent to the victims voicemail if the victim does not answer the phone call from the automated 2FA caller.
Continue reading HERE
Source: Shubham Shah
Last Updated on November 27, 2018.