welp
‘hacked’. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.
Yeah. They got data in a way that was not intended. That’s a hack. It’s not always about subverting something by clickity-clacking like in the movies.
Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.
It’s the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn’t (SQL injections, etc) – the other, is using the system exactly as it was programmed.
Downloading videos from YouTube isn’t “Hacking” YouTube. Even though it’s using the API in a way it wasn’t intended. Right-clicking a webpage and viewing the source code isn’t hacking - even if the website you’re looking at doesn’t want you looking at the source.
Sure. Except you’re wrong and have absolutely idea of what people in this community say about things. Let me be a dick and literally googz this for you and find an embarassing answer because you couldn’t do it yourself.
A missing rate limit is a vulnerability, or a weakness, depending on the definition. You’re playing smart without having an idea of what you’re talking about. Here you go:
https://cwe.mitre.org/data/definitions/799.html
YouTube videos are public, and as such it’s not really hacking. If you were able to download private videos, for example, it would be a vulnerability like “Improper Access Control”. It does not matter in the least whether you use an “exploit” in your definition (which is wrong) or “just increment the video ID”.
The result is a breach of confidentiality, and as such this is to be classified as a “hack”.
Hint – by manipulating or exploiting its code
Which I am explaining, they…did…not…do…
They did nothing to the code. They didn’t break the code, they didn’t cause the code to do anything it wasn’t designed to do. They did not exploit any code. They used an API endpoint that was in the open. For its intended purpose, to verify phone numbers. The api verified phone numbers, they verified phone numbers with the api. The only thing they did here…was they did verification on a lot of phone numbers.
With due respect, you are wrong.
hack
…
- (transitive, slang, computing) To hack into; to gain unauthorized access to (a computer system, e.g., a website, or network) by manipulating code
Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.
Exactly what this is. Read the disclosure. What about your response doesn’t fit that?
Does anyone have a suggested alternative for authy? (Please read the whole post before responding)
I’d love to go with an open source solution as I’ve done with my password manager, but that doesn’t seem possible with one of my big requirements:
Scenario: I’ve had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I’m able to log into my cloud storage and access my password database.
At this point I’d probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I’m not sure anything like that exists ready to go. I’m not particularly interested in rolling something myself for this.
I’d be dubious of jumping from one closed source product to another, but if there’s a particularly good option I’m all ears, I’ve been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.
Edit: added emphasis
Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis
Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?
The point is you physically and locally back up the database. Put it on your computer, or a flash drive or whatever. You can set a different, longer password for backups, and I would recommend you do that. When you get your new phone, you just copy the database into it and load it into a freshly installed Aegis. You don’t even need to self host anything, there is nothing to host.
Not everything needs to be “in the cloud”. I think this event illustrates nicely why.
(reposted from another comment mentioning aegis)
Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?
I think the suggestion here is to back up Aegis. I do something similar using Aegis + SyncThing.
I have a folder on my phone that is synced with my PC. Every so often, I will back up Aegis to that folder, and then it automatically syncs to PC.
I’ve looked into this before and unfortunately it doesn’t support the SMS requirement I have in my deal-breaker scenario—do you know if this has changed and can point me to the docs regarding it?
Oops, missed that part. Not that I know of, though SMS is a terrible way to do 2FA. It annoys me so many businesses and banks use it.
Do you really need that ?
Self hosting means you have outside your phone your real vault and the phone is just connecting to it to refresh its local data.
I’ve setup my vaulwarden in my local network kit’s the local bitwarden server i use), my phone, tablet or simple webbrowser can connect to it when i’m home via the classic bitwarden (with self hosting parameters).
If i travel, i have just to start my openVpn session and connect to my home but it’s only needed if I want to update something (the encrypted cache it’s enough for consulation). If I have nothing to change, no need to have a vpn. I just use the cached data.
If my phone is stolen the data are safe (cache is encrypted, source is not on the phone). I revoke the vpn access by precaution and move one. No sms scenario needed here.
You only need to have a backup phone or computer to setup your new access on the new phone.
Edit: of course my vpn connection is protected by a passphrase so nobody can connect to my home network without me around. And the bitwarden app is also protected of course.
I have similar requirements to you and honestly the best solution I could find was Microsoft Authenticator. I know Microsoft bad etc, but if you already have a Microsoft account anyway you can back up all your 2fa codes to your iCloud or Google account. If anyone knows of an open source alternative I’d be interested, but the ability to recover my accounts is more important than using something open source
If you’re talking about being able to regain access with no local backups (even just a USB key sewn into your clothing) your going to need to think carefully about the implications if someone else gets hold of your phone, or hijacks your number. Anything you can do to recover from the scenario is a way an attacker can gain access. Attempting to secure this via SMS is going to ne woefully insecure.
That being said, there are a couple of approaches you could consider. One option is to put an encrypted backup on an sftp server or similar and remember the login and passwords, another would be to have a trusted party, say a family member or very close friend, hold the emergency codes for access to your authentication account or backup site.
Storing a backup somewhere is a reasonable approach if you are careful about how you secure it and consider if it meets your threat model. The backup doesn’t need to contain all your credentials, just enough to regain access to your actual password vault, so it doesn’t need to be updated often, unless that access changes.
I would suggest either an export from your authentication app, a copy of the emergency codes, or a text file with the relevant details. Encrypt this with gpg symmetric encryption so you don’t have to worry about a key file, and use a long, complex, but reconstructable passphrase. By this I mean a passphrase you remember how to derive, rather than trying to remember a high entropy string directly, so something like the second letter of each word of a phrase that means something to you, a series of digits that are relevant to you, maybe the digits from your first friend’s address or something similarly pseudo random, then another phrase. The result is long enough to have enough entropy to be secure, and you’ll remember how to generate it more readily than remembering the phrase itself. It needs to be strong as once an adversary has a copy of the file they jave as long as they want to decrypt it. Once encrypted, upload it to a reliable storage location that you can access with just a username and password. Now you need to memorize the storage location, username, password and decryption passphrase generator, but you can recover even to a new phone.
The second option is to generate the emergency, or backup, codes to your authentication account, or the storage you sync it to, and have someone you trust keep them, only to be revealed if you contact them and they’re sure it’s you. To be more secure, split each code into two halves and have each held by a different person.
I highly recommend 1Password. It’s cross platform, including Linux, and it’s not only a great and sort l super secure password manager, but it also does 2FA codes and if you use their auto fill tool, it will also paste the 2FA code to clipboard so you can paste it in seamlessly.
Everything is full encrypted and needs a really long, unique to you, key to decrypt. So no one will be hacking this anytime soon. Even 1Password cannot open your vault.
Why does it require a phone number to use?!
They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn’t allow backups.
Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack
Also, Google Authenticator now supports backup. Aegis is another free alternative.
And as soon as I learned about that I stopped using it. Turns out it was the right choice - since then more then one company had breaches where authenticator seeds extracted from a google account were used to bypass 2fa.
Companies need to stop using Authy. It’s stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.
I expect most usage of authy was based on the open TOTP protocol that Google etc use. The additional benefit was backing up those codes to the authy account, hence the avenue of attack on those accounts.
I agree though, Authy, especially since it was bought out, should be avoided. They deprecated their desktop app which was the only semi useful part of their suite, but I stopped using it years ago.
I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.
Use aegis, export the keys and then reimport them every time you switch. Trusting your second factor to a cloud is a disaster waiting to happen.
If you want to get fancy setup your own cloud server (nextcloud, Seafile, owncloud etc) and set the backup folder for aegis to the self hosted cloud for easy restore every time you switch ROMs.
Simpler approach: auto export from aegis when an update occurs, syncthing or similar to your home PC. I have it synced across several computer in different locations and aegis is good enough to make unique filenames, combine with syncthing file history and I’m good for like 2 years of backups.
GA now backups your codes in your Google account, so this doesn’t happen anymore.
They had an obvious solution which is export to an encrypted text files and went with the option that lowers your security
I’ve started putting mine into my Bitwarden vault as well as Google auth, mainly because I’m a bit paranoid I’ll wind up locked out of something by trusting a second factor too much
With password recovery you shouldn’t be getting locked out of anything. I don’t see this being a risk.
