How To Bypass Two Step Verification Code

Now 2 step authentication are not safe, you guys will shock but its true. The attacker types ../sms in the SMS token field.
1

Sakurity researchers found the way to bypass the Authy 2 factor Authentication.

Here the details: 

>> The client app encodes it as ..%2fsms and makes an API call to Authy – https://api.authy.com/protected/json/verify/..%2fsms/authy_id

>> Path_traversal middleware decodes path to https://api.authy.com/protected/json/verify/../sms/authy_id,
splits by slashes and removes the directory in front of /…

>> Actual Authy API sees modified path https://api.authy.com/protected/json/sms/authy_id,
simply sends another SMS to authy_id (the victim) and responds with 200 status and {“success”:true,”message”:”SMS token was sent”,”cellphone”:”+1-XXX-XXX-XX85″}

>> All Authy SDK libraries consider 200 status as a successful response and let the attacker in. Even a custom integration most likely will look for “success”:true in the JSON body, and our /sms response body has it. So the only secure way to verify the response is to search for “token”:”is valid” substring (which is what Authy libraries do now).

Yes, the attacker was able to bypass 2 factor authentication on any website using Authy with something as simple as “../sms” in the token field!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s