‘hacked’. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.
Yeah. They got data in a way that was not intended. That’s a hack. It’s not always about subverting something by clickity-clacking like in the movies.
Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.
It’s the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn’t (SQL injections, etc) – the other, is using the system exactly as it was programmed.
Downloading videos from YouTube isn’t “Hacking” YouTube. Even though it’s using the API in a way it wasn’t intended. Right-clicking a webpage and viewing the source code isn’t hacking - even if the website you’re looking at doesn’t want you looking at the source.
Exploiting is hacking, quit being pedantic.
A system fault is not the same as a vulnerability. These would have different baseline CVSS 3.1 scores, with the temporal and environmental reducing over time. A medium/low at best for a public endpoint exposing PII.
deleted by creator
Sure. Except you’re wrong and have absolutely idea of what people in this community say about things. Let me be a dick and literally googz this for you and find an embarassing answer because you couldn’t do it yourself.
With due respect, you are wrong.
hack
…
- (transitive, slang, computing) To hack into; to gain unauthorized access to (a computer system, e.g., a website, or network) by manipulating code
Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.
Exactly what this is. Read the disclosure. What about your response doesn’t fit that?
They did not do it by manipulating code. This wasn’t the result of a code vulnerability. If you leave the door wide open with all your stuff out for the entire neighbourhood to see, you can’t claim you were “broken into”. Similarly, if you don’t secure your endpoints, you can’t claim you were “hacked”.
Lack of rate limiting is a code vulnerability if we are talking about an API endpoint.
Not that discussion makes any sense at all…
Also, “not securing” doesn’t mean much. Security is not a boolean. They probably have some controls, but they still have a gap in the lack of rate limiting.
It is a vulnerability, but exploiting that vulnerability is not generally considered by security experts to be “hacking” in the usual meaning of that term in academic settings. Using an open or exposed API, even one with a sign that says “don’t abuse me”, is generally not considered hacking.
I am a security professional. I would personally not care less to make the distinction, as both are very generic terms that are used very liberally in the industry.
So I don’t see any reason not to call this hacking. This was not an intended feature. It was a gap, which has been used to perform things that the application writer did not intended (not in this form). If fits with the definition of hacking as far as I can tell. In any case, this is not an academic discussion, it is a security advisory or an article that talks about it.
Please provide a link to whatever source claims this.
I hold a computer science degree and this contradicts the definition of “hack” versus “exploit” used in academic settings.
They probably typed it out themself then screenshotted it.
Hint – by manipulating or exploiting its code
Which I am explaining, they…did…not…do…
They did nothing to the code. They didn’t break the code, they didn’t cause the code to do anything it wasn’t designed to do. They did not exploit any code. They used an API endpoint that was in the open. For its intended purpose, to verify phone numbers. The api verified phone numbers, they verified phone numbers with the api. The only thing they did here…was they did verification on a lot of phone numbers.
They absolutely exploited unintended functionality. If this was intended, they wouldn’t have added rate limiting and locked down the api after. It was clear to say this was certainly not an intended use of the api.
In a video game for example, if there is a an item that caused excessive lagging just by placing the item. Placing a lot of them with the intent to lag the game would be an exploit. They only used items sanctioned by the game, but for unintended reasons and they would likely be banned for exploitation.
You are correct, I replied to the wrong comment
That’s what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn’t be able to do.
This isn’t about being pedantic but sure, mate.
Red Shazam
Wow, it’s literally the shazam logo, flipped horizontally and red.
Wonder who got paid to make that logo?
Intern
I realized long time ago that I don’t want my 2FA be tied to my phone number. And then i found you can’t export your data from Authy because they know they are scummy fucks and don’t want to anyone to leave
You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.
Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file
deleted by creator
Remind me to start a batch rekeying service.
deleted by creator
If there’s a benefit to such a tool would bad actors have already developed one?
They got rid of the desktop app.
Also, with shouldn’t have your seeds. They’re encrypted before they are transmitted to their servers and only decrypted on the device.
Do you know what it’s called? I’d like to do this if possible.
They added a link, but the project has been deprecated
I used this method to export my twitch 2FA to Aegis. although I did this a few years ago, I think it still worksEdit: reading though comments made me realise Authy’s desktop app doesnt seem to be a thing anymore, so sadly I dont think it works anymore
Wow, that was one of the things that drew it to me in the first place. I break phones too frequently to feel comfortable leaving everything to them.
So what did you do?
Use TOTP wherever possible. It’s standardized, and typically can be found somewhere if you keep digging hard enough.
Plenty of services push their own proprietary systems hard though. Looking at you M$
I also find this infuriating. I had a service offer TOTP for authentication. Installed an open source TOTP Aap, scanned the QR and voila.
The service meanwhile can control whether they want to generate a new token or give out the old one again, for instance when a device was lost.
It is the most easy, most convenient solution both for the service provider and the client. There is no excuse for any other 2FA system to be used.
Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?
Unfortunately I can’t use aegis on iOS/windows, does keepass have this functionality?
Bitwarden would be my vote
I’ve been running a self-hosted Vaultwarden server with Bitwarden clients. It’s been perfect. The clients could use some usability work, but other than that, no complaints.
This
These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.
Doesn’t synced solutions completely defeat the purpose of MFA?
You’ve got a good point. I wonder if this an example of a trade-off between convenience and security. If you’re logging in and you get an MFA prompt, a Yubikey has to be physically searched, while Bitwarden or Proton Pass only have to be clicked. A Yubikey can only hold a limited amount of accounts, while Bitwarden or Proton Pass could hold many more. Of course, a Yubikey could be used as MFA for Bitwarden or Proton Pass, but that would create a single point of failure and reduce factor separation (which I think is your original point).
While I posted a Bitwarden or Proton Pass recommendation of sorts, I genuinely wonder if it’s advisable to not use MFA at all if the factors will not be separated. Or, perhaps, the best security solution is the one you’ll actually use. I guess the answer is the good ol’ “What’s your security model?”
I wonder if this an example of a trade-off between convenience and security.
I genuinely wonder if it’s advisable to not use MFA at all if the factors will not be separated. Or, perhaps, the best security solution is the one you’ll actually use
Your first and last statements are correct. Using your password manager as your MFA is a trade off with security and convenience, but that added convenience helps make it more usable so you actually use it. Anything is a trade up for most peoples’ awful password hygiene, so the trade off is worth it in my opinion.
Regarding the advisability of combining password and MFA into one platform: while you are lowering the overall security of your accounts, if you secure the main account with a long/strong password and a hardware security key, I would say that’s still more secure than not having 2FA enabled or not using secure passwords.
Aegis
Most decent password managers (e.g. 1Password, Proton Pass) have MFA built-in. Use those.
I’m using aegis, but maybe Proton Pass could be good?
Buy a few (at least 2 for a backup) yubikeys.
Much more secure.
You can store the TOPT codes on them, but then you can also do all the higher security things too.
No one’s breaking into your Google account if you secure it with those keys and remove the sms backup method unless they’ve physically stolen the yubikey
deleted by creator
lol. I am glad I became privacy conscious before this happened.
Deleted my Authy account, Thankfully I only had indeed and humble bundle attached.
What do you use now?
Use google authenticator
I’d honestly be very cautious with anything google. Aegis would probably be a better option.
Does it work for Android?
Yep! Using it on Android rn.
Friendly reminder to change your master password. You’re one SIM jack away from having your life locked away for ransom. They didn’t breach the seeds, but next time who knows. I would start migrating and changing 2FA codes just in case. You never know who might be spraying.
The problem is so many services requiring SMS to be that second factor. From what I’ve heard it’s easy enough to steal a sim that if you’re being explicitly targeted it’s basically the same as no second factor. Yet even if using an authenticator app most services require you to still have SMS/phone as another option for the 2FA.
For Authy specifically they’d need to guess your master password and then hijack your phone number, and for users of Authy I suspect their passwords are not easily guessed as it’s already a step above the standard SMS only 2FA most services require.
Why does it require a phone number to use?!
They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn’t allow backups.
Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack
Does anyone have a suggested alternative for authy? (Please read the whole post before responding)
I’d love to go with an open source solution as I’ve done with my password manager, but that doesn’t seem possible with one of my big requirements:
Scenario: I’ve had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I’m able to log into my cloud storage and access my password database.
At this point I’d probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I’m not sure anything like that exists ready to go. I’m not particularly interested in rolling something myself for this.
I’d be dubious of jumping from one closed source product to another, but if there’s a particularly good option I’m all ears, I’ve been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.
Edit: added emphasis
I use Aegis, which I periodically back up manually off phone.
(reposted from another comment mentioning aegis)
Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?
I think the suggestion here is to back up Aegis. I do something similar using Aegis + SyncThing.
I have a folder on my phone that is synced with my PC. Every so often, I will back up Aegis to that folder, and then it automatically syncs to PC.
Oh, in that case it’s not quite equivalent, because my cloud storage is protected by the two factor code stored in my Authy OTP database.
I would still need to access the OTP database before I could access the cloud storage, which is where it would be stored in this scenario.
Forget your existing cloud. Your 2FA backup doesn’t need to be protected by 2FA; just encryption and a strong/unique passphrase. Your 2FA backup can’t be used to access any account on its own, without each password. Most OSS E2EE services allow you to create a free account; many without an email. Pick 2 for redundancy, create a NEW account, and set a NEW passphrase (like your 2nd “master” password). Before you transit upload your OTP backup to both of them.
This approach is probably more secure than SMS to access 2FA, especially vs a closed source provider like Authy, and especially if your 2FA export is also encrypted with a different password. If you’re already using a password manager and unique passwords for everything, you’re already 95% more secure than everyone else, and removed the primary need for 2FA (password reuse and theft). If you’re doing everything else right, 2FA only makes you 5-10% more secure, and covers far less-likely threats (email takeover, MITM, etc). Sys admins have been raw dogging SSH and PGP keys every day without a 2nd factor, for decades.
If you’re talking about being able to regain access with no local backups (even just a USB key sewn into your clothing) your going to need to think carefully about the implications if someone else gets hold of your phone, or hijacks your number. Anything you can do to recover from the scenario is a way an attacker can gain access. Attempting to secure this via SMS is going to ne woefully insecure.
That being said, there are a couple of approaches you could consider. One option is to put an encrypted backup on an sftp server or similar and remember the login and passwords, another would be to have a trusted party, say a family member or very close friend, hold the emergency codes for access to your authentication account or backup site.
Storing a backup somewhere is a reasonable approach if you are careful about how you secure it and consider if it meets your threat model. The backup doesn’t need to contain all your credentials, just enough to regain access to your actual password vault, so it doesn’t need to be updated often, unless that access changes. I would suggest either an export from your authentication app, a copy of the emergency codes, or a text file with the relevant details. Encrypt this with
gpgsymmetric encryption so you don’t have to worry about a key file, and use a long, complex, but reconstructable passphrase. By this I mean a passphrase you remember how to derive, rather than trying to remember a high entropy string directly, so something like the second letter of each word of a phrase that means something to you, a series of digits that are relevant to you, maybe the digits from your first friend’s address or something similarly pseudo random, then another phrase. The result is long enough to have enough entropy to be secure, and you’ll remember how to generate it more readily than remembering the phrase itself. It needs to be strong as once an adversary has a copy of the file they jave as long as they want to decrypt it. Once encrypted, upload it to a reliable storage location that you can access with just a username and password. Now you need to memorize the storage location, username, password and decryption passphrase generator, but you can recover even to a new phone.The second option is to generate the emergency, or backup, codes to your authentication account, or the storage you sync it to, and have someone you trust keep them, only to be revealed if you contact them and they’re sure it’s you. To be more secure, split each code into two halves and have each held by a different person.
Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis
Interesting, I’ve seen this one before but it didn’t seem like it would support my deal-breaker scenario—I still can’t seem to see support for that on the readme, could you point me at some docs?
Bitwarden has 2FA built in, and you can host it yourself if you want.
I’ve looked into this before and unfortunately it doesn’t support the SMS requirement I have in my deal-breaker scenario—do you know if this has changed and can point me to the docs regarding it?
Oops, missed that part. Not that I know of, though SMS is a terrible way to do 2FA. It annoys me so many businesses and banks use it.
I agree it’s much worse than using a modern OTP app, but I need a way to access my OTP database when the only form of digital identity I have access to is my phone number.
Authy currently supports this scenario for me (with a load of checks, it doesn’t happen instantly), so I would require a like for like replacement
Bitwarden has a 2FA recovery code possible so you could use a unlabeled hard copy of the code. It cycles after every use so it would get you one recovery and doesn’t use SMS so it’s immune to SMS shenanigans.
That’s potentially a solution then, as I guess in order to buy a new phone I would need to have not lost my wallet too at least, so I guess I could keep those items together for equivalent recovery possibility
Okay that may be a goer, I’ll look a bit more into it, thanks!
I highly recommend 1Password. It’s cross platform, including Linux, and it’s not only a great and sort l super secure password manager, but it also does 2FA codes and if you use their auto fill tool, it will also paste the 2FA code to clipboard so you can paste it in seamlessly.
Everything is full encrypted and needs a really long, unique to you, key to decrypt. So no one will be hacking this anytime soon. Even 1Password cannot open your vault.
I have similar requirements to you and honestly the best solution I could find was Microsoft Authenticator. I know Microsoft bad etc, but if you already have a Microsoft account anyway you can back up all your 2fa codes to your iCloud or Google account. If anyone knows of an open source alternative I’d be interested, but the ability to recover my accounts is more important than using something open source
Aegis. Make an encrypted backup. Store the backup safely. Done
I use Aegis
2FAS
This. Superior in any way to authy.
This is a new one to me, but a quick look at their homepage doesn’t seem to suggest SMS support as per my deal-breaker scenario—could you point me to the docs describing that functionality?
Weren’t they hacked last time? Is this old news or a new hack they never learned from?
