This Week in Security: Phreaking for Fun and Profit; Leaky Software

Phreaking for Fun and Profit – Two-Factor Auth or Single Factor Betrayal?

In another tale of vulnerable authentication schemes, researchers at Positive Technologies demonstrated how to steal Bitcoins from Coinbase accounts due to a weak password recovery mechanism.

The attack begins by taking over the user’s Gmail account via the password reset mechanism, which relies on a one-time code sent via SMS to the victim’s cellphone. However, due to weaknesses in the underlying telecommunications network known as Signaling System 7 (SS7), attackers can intercept SMS messages for specific phone numbers.

With the one-time code in hand, the attacker resets the victim’s password and gains access to the user’s inbox. From there, the same password reset mechanism at Coinbase sends a URL to the controlled inbox, allowing the attacker to reset the victim’s Coinbase password, take full control and transfer Bitcoins out of the victim’s wallet.

That’s not to say you should run out and disable all of your SMS-based 2-factor authentication (2FA), but you should be aware that the security provided by SMS-based 2FA is much weaker than a 2FA token generated locally on a dedicated device or smartphone.

Poorly designed password reset mechanisms that rely only on the 2FA token betray the user’s trust in security. It’s a violation of the name since the second factor becomes the singular primary factor for authenticating a user in a password reset scenario. 2FA is supposed to provide an additional layer of protection, not serve as a backdoor.

Additionally, the monstrous hash dump released by Troy Hunt earlier this year has almost been fully cracked with 99.42% of the hashes cracked according to the shared community password recovery site, Hashes.org.

As always, you can protect yourself with the following recommendations:

  • Using a password manager to generate and store strong passwords
  • Generate unique passwords for each login
  • Don’t leave your devices lying around unlocked
  • Register a secure PIN with your wireless provider to prevent attackers from requesting replacement SIM cards tied to your phone number
  • Use soft-token 2FA applications such as Google Authenticator, Authy, or Duo instead of SMS-based 2FA solutions.

Apache Webserver Leaks Memory, iTerm2 Leaks Sensitive Data

Hanno Böck re-discovered a vulnerability in the popular Apache httpd webserver, which results in the server leaking arbitrary memory in the HTTP header. Dubbed “Optionsbleed,” the vulnerability was actually published in a 2014 paper by researchers from Old Dominion University.

Despite being known for three years, the vulnerability was left unpatched until recently.

The good news is that the impact of the vulnerability is limited to certain configurations of Apache httpd that use the “Limit” directive. Of the Alexa Top 1 Million hosts, only 466 hosts (0.046%) were identified to be vulnerable - which is nowhere near the impact of Heartbleed, which affected 5.2% of the Alexa Top 1 Million.

On the other side of the software spectrum is iTerm2, a popular macOS terminal program, which incidentally leaked sensitive information such as passwords and API keys. iTerm2 attempts to implement a user-friendly feature by determining if strings of text containing “//” are a valid URL by issuing a DNS lookup for the string.

Unfortunately, anything containing “//” would be sent to the user’s DNS server, which is typically run by his/her Internet service provider (ISP). Sensitive information such as passwords or API keys which contained a “//” would be sent in clear-text to the DNS server.

This vulnerability can be mitigated by disabling the “Perform DNS lookups to check if URLs are valid?” setting. This feature is also off by default in version 3.1.1 which was released to address this issue.

Protect yourself by keeping your software up to date.