Two Factor Falsification | TechSNAP 206

Microsoft takes 4 years to fix a nasty bug, how to bypass 2 factor authentication in the popular ‘Authy’ app.

Hijacking a domain with photoshop, hardware vs software RAID revisited, tons of great questions, our answers & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Microsoft took 4 years to recover privileged TLS certificate addresses

The way TLS certificates are issued currently is not always foolproof
In order to get a TLS certificate, you must prove you own the domain that you are attempting to request the certificate for
Usually, the way this is done is sending an email to one of the administrative addresses at the domain, like postmaster@, hostmaster@, administrator@, or abuse@
The problem comes when webmail services, like hotmail, allow these usernames to be registered
That is exactly what happened with Microsoft’s live.be and live.fi
A Finnish man reported to Microsoft that he had been able to get a valid HTTPS certificate for live.fi by registering the address hostmaster@live.fi
It took Microsoft four to six weeks to solve the problem
Additional Coverage – Ars Technica
When this news story came out, another man, from Belgium, came forward to say he reported the same problem with live.be over 4 years ago
“After the Finnish man used his address to obtain a TLS certificate for the live.fi domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.”

Bypass 2 factor authentication in popular ‘Authy’ app

Authy is a popular reusable 2 factor authentication API
It allows 3rd party sites to easily implement 2 factor authentication
Maybe a little too easily
When asked for the verification code that is sent to your phone after a request to Authy is received, simply entering ../sms gives you access to the application
The problem is that the 3rd party sites send the request, and just look for a ‘success’ response
However, because the input is interpreted in the URL, the number you enter is not fed to: https://api.authy.com/protected/json/verify/1234/authy_id as it is expected to be
But rather, the url ends up being: https://api.authy.com/protected/json/verify/../sms/authy_id
Which is actually interpreted by the Authy API as: https://api.authy.com/protected/json/sms/authy_id
This API call is the one used to actually send the code to the user
This call sends another token to the user and returns success
The 3rd party application sees the ‘success’ part, and allows the user access
It seems like a weak design, there should be some kind of token that is returned and verified, or the implementation instructions for the API should be explicit about checking “token”:”is valid” rather than just “success”:true
Also, the middleware should probably not unescape and parse the user input

Hijacking a domain

An article where a reporter had a security researcher steal his GoDaddy account, and document how it was done
A combination of social engineering, publically available information, and a photoshopped government ID, allowed the security researcher to take over the GoDaddy account, and all of the domains inside of it
This could allow:
an attacker to inject malware into your site
redirect your email, capturing password reset emails from other services
redirect traffic from your website to their own
issue new SSL certificates for your sites, allowing them to perform man-in-the-middle attackers on your visitors with a valid SSL certificate
Some of the social engineering steps:
- Create a fake Social Media profile in the name of the victim (with the fake picture of them)
- Create a gmail address in the name of the victim
- Call and use myriad plausible excuses why you do not have the required information:
- please provide your pin #? I don’t remember setting up a pin number
- my assistant registered the domain for me, so I don’t have access to the email address used
- my assistant used the credit card ending in: 4 made up numbers
- create a sense of urgency: “I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn’t a problem”
- GoDaddy requires additional verification is the domain is registered to a business, however, since many people make up a business name when they register a domain, it is very common for these business to not actually exist, and there are loopholes
- Often, you can create a letter on a fake letterhead, and it will be acceptable
In the end, Customer Support reps are there to help the customer, it is usually rather difficult for them to get away with refusing to help the customer because they lack the required details, or seem suspicious
GoDaddy’s automated system sends notifications when changes are made, however in this case it is often too later, the attacker has already compromised your account
GoDaddy issued a response: “GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”
It appears that Hover.com (owned by Tucows, the same company that owns Ting) is one of the only registrars that does not allow photo ID as a form of verification, stating “anyone could just whip something up in Photoshop.”
GoDaddy notes that forging government ID (in photoshop or otherwise) is illegal