Hacking, Information Security, Vulnerability

How To Bypass Two Step Verification Code

Now 2 step authentication are not safe, you guys will shock but its true. The attacker types ../sms in the SMS token field.

Sakurity researchers found the way to bypass the Authy 2 factor Authentication.

Here the details:

>> The client app encodes it as ..%2fsms and makes an API call to Authy – https://api.authy.com/protected/json/verify/..%2fsms/authy_id

>> Path_traversal middleware decodes path to https://api.authy.com/protected/json/verify/../sms/authy_id,
splits by slashes and removes the directory in front of /…

>> Actual Authy API sees modified path https://api.authy.com/protected/json/sms/authy_id,
simply sends another SMS to authy_id (the victim) and responds with 200 status and {“success”:true,”message”:”SMS token was sent”,”cellphone”:”+1-XXX-XXX-XX85″}

>> All Authy SDK libraries consider 200 status as a successful response and let the attacker in. Even a custom integration most likely will look for “success”:true in the JSON body, and our /sms response body has it. So the only secure way to verify the response is to search for “token”:”is valid” substring (which is what Authy libraries do now).

Yes, the attacker was able to bypass 2 factor authentication on any website using Authy with something as simple as “../sms” in the token field!

Previous ArticleNext Article
Send this to a friend