Two Factor Falsification | TechSNAP 206

Two Factor Falsification | TechSNAP 206

Microsoft takes 4 years to fix a nasty bug, how to bypass 2 factor authentication in the popular ‘Authy’ app.

Hijacking a domain with photoshop, hardware vs software RAID revisited, tons of great questions, our answers & much much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:


— Show Notes: —

Microsoft took 4 years to recover privileged TLS certificate addresses

  • The way TLS certificates are issued currently is not always foolproof
  • In order to get a TLS certificate, you must prove you own the domain that you are attempting to request the certificate for
  • Usually, the way this is done is sending an email to one of the administrative addresses at the domain, like postmaster@, hostmaster@, administrator@, or abuse@
  • The problem comes when webmail services, like hotmail, allow these usernames to be registered
  • That is exactly what happened with Microsoft’s and
  • A Finnish man reported to Microsoft that he had been able to get a valid HTTPS certificate for by registering the address
  • It took Microsoft four to six weeks to solve the problem
  • Additional Coverage – Ars Technica
  • When this news story came out, another man, from Belgium, came forward to say he reported the same problem with over 4 years ago
  • “After the Finnish man used his address to obtain a TLS certificate for the domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.”

Bypass 2 factor authentication in popular ‘Authy’ app

  • Authy is a popular reusable 2 factor authentication API
  • It allows 3rd party sites to easily implement 2 factor authentication
  • Maybe a little too easily
  • When asked for the verification code that is sent to your phone after a request to Authy is received, simply entering ../sms gives you access to the application
  • The problem is that the 3rd party sites send the request, and just look for a ‘success’ response
  • However, because the input is interpreted in the URL, the number you enter is not fed to: as it is expected to be
  • But rather, the url ends up being:
  • Which is actually interpreted by the Authy API as:
  • This API call is the one used to actually send the code to the user
  • This call sends another token to the user and returns success
  • The 3rd party application sees the ‘success’ part, and allows the user access
  • It seems like a weak design, there should be some kind of token that is returned and verified, or the implementation instructions for the API should be explicit about checking “token”:”is valid” rather than just “success”:true
  • Also, the middleware should probably not unescape and parse the user input

Hijacking a domain

  • An article where a reporter had a security researcher steal his GoDaddy account, and document how it was done
  • A combination of social engineering, publically available information, and a photoshopped government ID, allowed the security researcher to take over the GoDaddy account, and all of the domains inside of it
  • This could allow:
  • an attacker to inject malware into your site
  • redirect your email, capturing password reset emails from other services
  • redirect traffic from your website to their own
  • issue new SSL certificates for your sites, allowing them to perform man-in-the-middle attackers on your visitors with a valid SSL certificate
  • Some of the social engineering steps:
    • Create a fake Social Media profile in the name of the victim (with the fake picture of them)

    • Create a gmail address in the name of the victim

    • Call and use myriad plausible excuses why you do not have the required information:
    • please provide your pin #? I don’t remember setting up a pin number
    • my assistant registered the domain for me, so I don’t have access to the email address used
    • my assistant used the credit card ending in: 4 made up numbers
    • create a sense of urgency: “I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn’t a problem”
    • GoDaddy requires additional verification is the domain is registered to a business, however, since many people make up a business name when they register a domain, it is very common for these business to not actually exist, and there are loopholes
    • Often, you can create a letter on a fake letterhead, and it will be acceptable
  • In the end, Customer Support reps are there to help the customer, it is usually rather difficult for them to get away with refusing to help the customer because they lack the required details, or seem suspicious
  • GoDaddy’s automated system sends notifications when changes are made, however in this case it is often too later, the attacker has already compromised your account
  • GoDaddy issued a response: “GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”
  • It appears that (owned by Tucows, the same company that owns Ting) is one of the only registrars that does not allow photo ID as a form of verification, stating “anyone could just whip something up in Photoshop.”
  • GoDaddy notes that forging government ID (in photoshop or otherwise) is illegal


Round Up:

Question? Comments? Contact us here!