Attackers can use a voicemail to bypass two-step verification to easily intrude into others' accounts.

2-Factor-Authentication (2FA) is a logon verification function designed by Google to improve security. Based on the traditional "account and password, added the "generate or receive Random verification codes on mobile devices" step.

As early as September 2010, Google opened a two-step verification mechanism for Google Apps paying users. By the beginning of 2011, Google opened this mechanism to all users, it was subsequently used for reference by websites such as Facebook, LinkedIn, Yahoo, WSJ, and Tumblr.

In mid 2011, Shubham Shah wrote, "Will your voicemail be compromised? Optus, Telstra, and Vodafone have something to say. after about three years, shanham found that the vulnerability still exists --

 

 

I remember that 2FA became popular two years ago, and I was 16 years old. I felt like this was a genius idea. It was the best firewall for users and was able to effectively defend against many attacks, including phishing, provides excellent data security protection.

However, I recently changed my mind that although 2FA can still provide better protection, I bypassed the 2FA of many websites-they all sent verification codes to users via voice mail. One of them is Optus, an Australian Mobile Operator. More than 9.59 million users use Optus services.

Here is a detailed description.

 

 

1. 2FA mechanism analysis, vulnerability Principle

2FA Mechanism Analysis

When I analyzed 2FA as a whole, I found that there were many attack points in the verification process. For example, at the beginning, I listed the following:

• Brute-force cracking of the Verification Code, affected websites: Apple, the verification code is only four digits, there is almost no limit on the number of trial and error attempts.

• Find a logon portal that does not require 2FA.

• Find the verification code generation rules.

• Steal the "session information", that is, the cache and links after 2FA logon, so that the 2FA can be directly bypassed to log on to the website.

These methods are theoretically feasible, but they are difficult to implement in reality, because they are too "Orthodox" and all websites have corresponding defense measures.

After rejecting these methods, I further analyzed the entire 2FA process and found a low security factor link:Voicemail.

Some readers may recall the scandal related to voice mailboxes in 2009-the guardian and the New York Times revealed that journalists from the News of the World won the competition for news, attackers intrude into Celebrity voice mailboxes for eavesdropping. The "intrusion" method of the reporter of the news of the world is somewhat weak: The reporter directly uses the default password of the mailbox to log on. After learning a person's mobile phone number, the reporter calls him. If no one answers the question, the voice mailbox is automatically started, and then enter the password to go to the mailbox to find clues.

There is also a very similar case. The CEO of Cloudflare, Michelle Zatlyn, has also been infiltrated into the voicemail, but the intruders are obviously more sophisticated and the process is more complex. Intruders cheated AT&T employees and asked the latter to automatically forward Michelle's email to another mailbox.

As for the methods I have used, they have been around for a long time. It is not complicated to have documented them.

Despite the high attention caused by vulnerabilities such as voicemail, the vast majority of websites in some countries have not made substantial improvements.

Vulnerability Principle

As an attacker, you must meet the following four conditions to bypass 2FA to intrude into an account:

• Know the user name and password.

• Know the phone number bound to the 2FA service under your account.

• It can disguise mobile phone numbers.

• Remote access to the voice mailbox.

In reality, it is not difficult for a professional intruder to meet these conditions. Any traditional attack method can obtain the account and password information, and the phone number is now easier to find. As for the number disguise, there are also a lot of cheap services that can be found by Google. In addition, if you do not want to register these services, VoIP can also implement number disguise, and the effect is no different.

The steps for bypassing 2FA intrusion are as follows:

1. Enter the account and password to log on to the website. The 2FA page is displayed.

2. Call the victim's mobile phone for about 20-30 seconds.

3. Select "another method" and "Send verification code by phone" on the 2FA page 」.

4. Because the victim's mobile phone is on the phone, the verification code will be sent to the voicemail.

I assume that the voice verification code will be sent to the voice mailbox during a call. Some people may disagree and think that this assumption is not always true. This setting does exist. It facilitates a small number of people, but at the same time brings huge risks. Considering the widely criticized security of voice mail in recent years, I don't think the second defect mentioned below can be used to successfully intrude into the system. When the victim fails to answer the question, the voice information will be sent to the voicemail.

The second step of Rao 2FA intrusion is "voice mail intrusion 」.

Many of the icons above are major mobile service providers in Australia. The content described in this article also applies to them ., The left side is completely compliant with the intrusion conditions, and the right side is affected or completely unaffected.

It must also be noted that The British media report The Register confirmed that British Mobile Service Operators Three and EE also belong to The Left Group.

What is full compliance with intrusion conditions?

These operators identify whether a phone number is the voice mail owner by using the "number recognition system" or call display.If the numbers are the same, the system does not require you to enter the email password.

This is not the case for American carriers. They do not care about the number of callers, but require a password. But this is true for Australia,As far as I know, the users of these Australian operators cannot do anything about phone number spoofing, and only wait for the operators themselves to correct these problems.

The detailed process of the second step is as follows:

1. Find a number spoofing service. independent services or VoIP with custom numbers can be used.

2. Set the outbound call number to + 610411000321.

3. Set "display number" to the mobile phone number of the victim.

4. If you use a number disguised as SpoofCard, it will give you a transfer call and transfer code, call the phone, and enter the transfer code.

5. At this time, you are using the victim's number, dialing his own voice mailbox, and entering the account and password.

Why is the outbound number + 610411000321? Because Australia has three major mobile carriers: Telstra, Optus, and Vodafone. They can resell their own services, so many ISPs are derived. These dealers (which is under Optus) use the same services as the upper-level operators, and the customer service hotline and voicemail services are the same. Therefore, attackers can directly set this setting to cover most users.

Note: This vulnerability has been fixed by Optus.

Which part on the right meets the conditions or is completely unaffected?

As shown in the figure, Telstra, Virgin, and Vodafone belong to this part. I did not completely test the intrusion into these carrier users. The phased test results are as follows:

• Telstra: requires a password, which prevents number spoofing attacks.

• Vodafone: if the user does not set the voice mailbox password, the system will require the user to set it, which is powerless for number spoofing attacks.

• Virgin: not tested yet, but it is part of Optus and is very likely to be affected.

 

 

2. Google's security team's response

Google is one of the first websites to use 2FA to protect user data security. Users can enable 2FA for all their Google services. If the operator's mobile phone number security measures are in place, 2FA can well protect their data security, but in fact, the operator is not so reliable.

If you have read the above description, you will know that Google, Facebook, Yahoo, and other websites using the 2FA mechanism, the option "Send verification code to voicemail if you cannot answer the phone call" is provided. It seems that this is only a small problem, but the chain reaction it brings vividly shows that "the treasure of a thousand miles breaks the ant nest 」.

• The voice mailbox industry is not centralized, and its security mechanism is like this. Every mobile operator has its own voice mailbox management system.

• Voice mail security mechanisms are managed by operators rather than Google.

• Once the 2FA verification code/one-time password is sent via voice mail, attackers are likely to access the victim's Google service, without having to do anything to Google.

However, this is a big move. After the intruders log on to the victim's Google account, the victim may receive a text message indicating the logon. This alert is triggered.

After I submitted this vulnerability to Google's security team, they replied:

Hello!

Thanks for submitting the vulnerability. We carefully read what you said. We don't think this is a security issue for Google products. The premise of this attack is that the victim's Google account password has been leaked, and intruders can access the victim's account, which is also achieved by the operator's ineffective protection of the phone number's voice mailbox. We recommend that you directly submit this vulnerability to a mobile operator.

This reply is correct. It is indeed because of a problem with the mobile operator's security mechanism, but I think Google also needs to assume part of the responsibility-to send the 2FA verification code to the voicemail, this option poses a high risk. Many other websites that support the 2FA mechanism do not provide this option.

Therefore, I replied to this email:

Hello!

Thanks for your reply. I am looking for a channel to report this vulnerability to them.

Most mobile operators in Australia and the UK can only have four phone numbers, and there are no restrictions on incorrect passwords. That is to say, using the VoIP service with some scripts and multi-thread operations, You Can brute force crack the user's voice mailbox password in a short time.

Yes, this is largely a problem for operators. In addition, not only users in Australia and the UK are affected, but users in other countries in the world are also affected.

However, I think Google can make improvements. It is not a good choice to mail the verification code to the user's voice mailbox. The risks brought by this cannot be attributed to Google, but Google does send sensitive information to a less secure place.

I talked to Duosecurity and Authy about two 2FA-focused companies. They didn't let users choose "Send verification code via voice mail directly" like Google, but solved the problem like this:

• A mechanism is designed to interact with the user before the verification code is sent.

• Do not leave the plaintext password in the voice mail.

• The user is required to give feedback to the voice for verification. (The user calls 2FA and prompts "press the number X to continue" on the phone 」)

We hope these measures will touch your team.

Google quickly responded:

Hello!

Thank you for your explanation.

Because this is not a technical problem for Google, I cannot guarantee how much we can do, but I will give feedback to our security department.

If you want to see the full text of the email conversation between me and Google's security team, click here.

So far, I have not come up with any great solution. What I can think of is to suspend the messaging and phone segments in the 2FA mechanism and replace the Google Authenticator.

In addition, unconfirmed News said that users could retrieve Google accounts through 2FA. My personal test was not successful, but the account of Cloudflare CEO Michelle was intruded like this.

 

 

3. Facebook's security team's response

It wasn't until a few days ago that I remembered that Facebook also had such a 2FA mechanism called "Login Approvals". According to the official website, the logon license has brought "very high security, it is similar to logon notification, but there is an additional security step. 」

Using the method described above, intruders can easily bypass Facebook's two-step verification.

The process is as follows:

1. Logon account. (At this time, the victim will receive a text message with a verification code)

2. Click "Send verification code text message to me". The "Call verification code" option is displayed.

3. Call the victim, or wait for him or her to call and click "Call Verification Code 」.

4. Then the 2FA verification code will appear in the voicemail.

You can also directly submit the table data "method_requested = phone_requested" to this link. In combination with the local reverse proxy, the effect is better. Change the parameter from "sms_requested" to "phone_requested 」, the user cannot even receive the first text message. (Note 1)

If you are interested, click here to view the full text of the vulnerability report email. Facebook's response is as follows:

Hello,

We temporarily disable the "send verification code text message to mobile phones" function. We will further investigate and study the security mechanism. At present, we intend to add some new links to interact with users on the phone to prevent them from being sent to the voice mailbox and then hand over the verification code to the users.

Thank you!

Facebook was extremely responsive and decisive.

 

 

4. LinkedIn security team's response

Like Google and Facebook, if you miss the phone number that the system automatically calls, whether it is not answered, or is the call in progress-like LinkedIn, The 2FA verification code will be sent to the victim's voice mailbox.

After I reported the vulnerability, LinkedIn completely disabled 2FA verification by phone.

Hello,

Thank you for reminding us that we can temporarily block this vulnerability before it is made public.

Although no user reports were affected, we decided to temporarily disable the phone verification code function in 2FA. We are working with our partners to solve this problem. After solving this problem, we will consider re-enabling this feature.

Thank you!

 

 

5. Yahoo security team does not respond to this problem

Almost all Yahoo services that provide 2FA verification mechanisms are affected, and they are more serious than the previous websites, because Yahoo users are unlikely to know that someone has logged on to their own account.

Generally, when 2FA is enabled for a website, the website immediately sends a text message to the user when a user logs on to a very popular location. But Yahoo is different. Instead, a window is displayed, asking users to verify whether the sending method is SMS or phone.

The user will not immediately know that someone has logged on to his account, so intruders can have a longer time to do what they want.

I responded to this issue to Yahoo on HackerOne. It has been 14 days since, but I have not received a reply yet, and I have not seen Yahoo fix this vulnerability.

 

 

6. Authy and Duosecurity: Professional, after all, professional

I soon thought of the two companies that offer the commercial 2FA service, but unfortunately, they were very nice. They replied to the email within 24 hours, in other words, the vulnerability was known long ago, and the security issues related to the voice mailbox were also considered for a long time.

Authy's solution is to leave blank voice mails, while Duesecurity adds the user interaction link during the call.

 

 

7. methods to reduce security threats & feedback to mobile operators

If you want to know if you are at this risk, you can refer to the process described above and change dialing to your carrier's voice mailbox number for testing. Please tell me the test result. emails and comments are acceptable.

As for how to reduce security threats, we have already said:

• Ask the user to interact on the phone to confirm that the real person is answering the call. (Recommended)

• Check the voice mail system to determine whether to dial the number. (This may lead to misjudgment)

• The "Send verification code by phone" function is directly suspended. (This will reduce the user experience)

These are not all methods. Professional Organizations should design better mechanisms.

Optus

I submitted this vulnerability to Optus together with Ben granb (the technical editor of the Sydney Morning Herald and Times newspaper). We have each other's strengths and complements each other, the vulnerability submission process is very smooth.

When I first discovered this vulnerability in Optus, I wrote, "Will your voicemail be compromised? Optus, Telstra, and Vodafone have a saying, and there are two paragraphs --

「 Optus attaches great importance to customer privacy. each user's voice mailbox has an independent password. When the customer service representative resets this password, they will ask the user to change the password to an independent string that they can remember. 」

「 We are considering different solutions for the emerging industry threat of number spoofing, including technical means and common security knowledge education for our customers .」

This article was published in July 22, 2011 and has been around for nearly three years. This problem still exists, posing a huge privacy risk.

On October 16, May 2, 2014, graob and I submitted a vulnerability report to Optus. About a week later, Optus fixed the vulnerability.

However,Just a few hours after the vulnerability was fixed, I found another way to bypass 2FA and access the voice mailbox of any Optus user again.Optus is fixing this vulnerability, so I will not describe it in detail here, but it must be emphasized that if you are a user of Optus or its sub-carrier, please pay attention to the security of your voice mailbox, change the password periodically.

 

 

8. Last words

Just like my previous obsession with Server-side Request Forgery, Server-side Request Forgery Attack, note 2) and usage restrictions, I think the voicemail, and the security of the entire mobile operator will be my research direction in the future-everyone knows that the service of the mobile operator is insecure, but few people have pointed out that, carriers will not take the initiative to discover and fix vulnerabilities. We will not know how serious these vulnerabilities are until Major Cases emerge.

If you want to track the topic of "voicemail", please Follow my Twitter account and I will update the communication with the carrier in time.

These services are also likely to be "bypassed" 2FA verification, but I have not completely detected: Snapchat, Amazon, Airbnb, Elance, Discover ......

I hope you can see the benefits here.

 

 

Note

NOTE 1: The user accesses http://bigc.at/readme,but bigc. there is no readme page on at. He secretly retrieves it from another server and then sends it as his own content to the bigc. at, the server corresponding to the domain name sets the reverse proxy function. The conclusion is that reverse proxy is the opposite. for a client, it is like an original server, and the client does not need to perform any special settings. The client sends a common request to the content in the namespace (name-space) of the reverse proxy, and then the reverse proxy determines where (original server) to transfer the request, and return the obtained content to the client, just as the content is originally its own. (Big Cat obscenity)

Note 2: The vulnerability can be exploited to send forged requests from the vulnerability server to the target service. The target service can be an Intranet Service and can use different protocols, and determine whether the attack is successful Based on the echo (if the attack is blind, the echo is not needed :)). (EVILCOS)