How To Bypass Two Step Verification Code
How To Bypass Two Step Verification Code?
Now 2 step authentication are not safe, you guys will shock but its true. The attacker types ../sms in the SMS token field.
Sakurity researchers found the way to bypass the Authy 2 factor Authentication.
Here the details:
>> The client app encodes it as ..%2fsms and makes an API call to Authy - https://api.authy.com/protected/json/verify/..%2fsms/authy_id
>> Path_traversal middleware decodes path to https://api.authy.com/protected/json/verify/../sms/authy_id,
splits by slashes and removes the directory in front of /...
>> Actual Authy API sees modified path https://api.authy.com/protected/json/sms/authy_id,
simply sends another SMS to authy_id (the victim) and responds with 200 status and {"success":true,"message":"SMS token was sent","cellphone":"+1-XXX-XXX-XX85"}
>> All Authy SDK libraries consider 200 status as a successful response and let the attacker in. Even a custom integration most likely will look for "success":true in the JSON body, and our /sms response body has it. So the only secure way to verify the response is to search for "token":"is valid" substring (which is what Authy libraries do now).
Yes, the attacker was able to bypass 2 factor authentication on any website using Authy with something as simple as "../sms" in the token field!
Source: Sakurati
Here the details:
>> The client app encodes it as ..%2fsms and makes an API call to Authy - https://api.authy.com/protected/json/verify/..%2fsms/authy_id
>> Path_traversal middleware decodes path to https://api.authy.com/protected/json/verify/../sms/authy_id,
splits by slashes and removes the directory in front of /...
>> Actual Authy API sees modified path https://api.authy.com/protected/json/sms/authy_id,
simply sends another SMS to authy_id (the victim) and responds with 200 status and {"success":true,"message":"SMS token was sent","cellphone":"+1-XXX-XXX-XX85"}
>> All Authy SDK libraries consider 200 status as a successful response and let the attacker in. Even a custom integration most likely will look for "success":true in the JSON body, and our /sms response body has it. So the only secure way to verify the response is to search for "token":"is valid" substring (which is what Authy libraries do now).
Yes, the attacker was able to bypass 2 factor authentication on any website using Authy with something as simple as "../sms" in the token field!
Source: Sakurati