Authy 2FA app popped by simple, secret, code
The patch has arrived and the horse has bolted
Attackers could bypass the Authy two factor authentication (2FA) system by typing a phrase in a token field.
Authy's apps make it possible for punters to log in to services like Gmail, Dropbox and Facebook, or even Amazon Web Services, with a one-time password sourced from an app. But prior to the advent of a patch issued 8 February, attackers could type '../sms' into the two factor code field to bypass authentication.
Egor Homakov (@homakov) who reported the flaw overnight says the cause is the default Sinatra dependency rack-protection.
"It turns out even URL encoding was futile - path_traversal module in rack-protection was decoding %2f back to slashes," Homakov says.
"This literally affects every API running Sinatra and reading parameters from the path. This is also a great example how libraries or features that aim to add security actually introduce security vulnerabilities."
Homakov found multiple flaws affecting Authy-node, and Authy-Python that led to the vulnerability. This included a lack of escaping for slashes introducing directory traversal for '../sms'.
"It introduces path traversal making attacker’s job much easier - you only need to type '../sms' to turn /verify API call into /sms (/verify/../sms/authy_id) which will always return 200 status and will bypass 2FA," he says.
Authy has not yet published details of the vulnerability. ®