Authy patches after 2FA bypassed in POC hack

Russian penetration tester Sakurity has found that attackers could temporarily bypass Authy's two-factor authentication (2FA), which enables users to log-in to Gmail, Dropbox, Facebook and Amazon's AWS.

Authy patches after 2FA bypassed in POC hack
Authy patches after 2FA bypassed in POC hack

In a blog post published on Sunday, the firm documents how Authy – which generates a one-time, time-sensitive password from an app to authenticate the user – could have been bypassed by attackers simply typing ‘../sms' into the two-factor code.

The vulnerability was related to multiple flaws affecting Authy-node, and Authy-Python, which included a lack of escaping for slashes introducing directory traversal for '../sms'.

Homakov said that all apps using API could be bypassed, and said that these vulnerabilities were probably introduced by developers trying to counter earlier flaws.

"It turns out even URL encoding was futile - path_traversal module in rack-protection was decoding %2f back to slashes," Homakov wrote on a blog post.

"This literally affects every API running Sinatra and reading parameters from the path. This is also a great example how libraries or features that aim to add security actually introduce security vulnerabilities."

"It introduces path traversal making an attacker's job much easier - you only need to type '../sms' to turn /verify API call into /sms (/verify/../sms/authy_id) which will always return 200 status and will bypass 2FA," he added.

Sakurity says that Authy, which was acquired by Twilio early this year,  ‘patched it very quickly' but said, plainly, that it would not be wildly exploited owing to a lack of technical expertise…outside its own organisation.

“I don't think it was ever exploitable because finding it requires our level of skills, something that black hat hackers don't have” Homakov told SCMagazineUK.com.

He went onto add on 2FA: “Not every 2FA is useful, I mean not in every situation. But in general it is helpful. I'm working on my own 2FA project/service and this is why I checked Authy and Duo Security.”

Authy issued the patch on February 8 but has not yet published details of the vulnerability.

Chris Russell, CTO of authentication specialist Swivel Secure, told SCMagazineUK.com:  “When designing any two-factor authentication solution, it's important to consider the motives and methods of an attacker, rather than focus solely on the user and how we want and expect them to behave. When we strive for user convenience and fault tolerance we must ensure we are not also making it easier for the hackers.

“End-users will always favour convenience and attackers will always try to exploit infrastructure weaknesses. With this in mind, any IT security infrastructure will become vulnerable when a business uses a ‘one-size-fits-all' solution.

“In response to the rise in cyber-attacks, some businesses are intent on applying layer upon layer of authentication in a bid to lockdown their corporate networks. This approach just focuses on the potential solutions. Instead, they should try to 'think-like-the-hacker'. One effective 'think-like-the-hacker' strategy is for those in charge of cyber-security to take a holistic view of their entire business, assessing the 'what-if' scenarios about how their data may be at risk. To do this they need to think about potential behaviours of attackers, not just the potential behaviours of their employees.

“By conducting a company-wide cyber-security risk-assessment, businesses can then deploy adaptive authentication, which works within a company's individual structure and enables workable parameters for different employees, access requests and services, applying exactly the right level of authentication to any given scenario.”

Update: Twilio has responded to the news by praising Sakurity's work and saying that it told its customers of the flaw via GPG-signed email on 12 March. The firm also added a "proactive notification to work with customers to upgrade the affected libraries."