The woes and tribulations in the Bitcoin world are far from over, despite more and more positive news making headlines all across the world. Authy, a two-factor authentication protocol used by several Bitcoin platforms – including the Bitcoin exchange Coinbase – is prone to a bypass attack which could give unauthorized parties access to your account.
Authy URL Encoding Vulnerable
When it comes to giving users the option of adding extra layers of security to their account, two-factor authentication is one of the most widely used solutions. Several companies are providing 2FA security solutions, such as Google, YubiKey, MePIN and Authy, to name a few. And we always assumed that 2FA could not be bypassed that easily, but apparently we were wrong.
There are several problems going on with the Authy two-factor authentication system, which can also impact users of Bitcoin exchange Coinbase. As an attacker can bypass your Authy 2FA SMS verification quite easily, unauthorized access to your account is bound to happen at some point. But why is Authy so vulnerable?
Authy does not encode the token from user parameters. Because of this major security flaw, Authy’s API calls would let an attacker access someone else’s account after overwriting the path to where the user token should be sent. Everything after the “#” symbol is ignored, effectively letting anyone bypass SMS two-factor authentication.
Note from the Author: It is impossible for Authy to verify whether the request is legitimate or not on the server side.
Authy-python is not as secure as everyone believed it to be either. In fact, it might be even easier to bypass Authy’s SMS two-factor authentication completely. Because Authy-Python allows for path traversal, an attack would only need to add “../SMS” to turn the /verify API call into an “Authentication 200” status, and effectively access the account unauthorized.
URL encoding is futile. Authy uses Sinatra, which uses rack-protection by default. The path_traversal module in rack-protection decodes “%2F” to slashes, instead of a space. Needless to say, any API using Sinatra’s rack-protection is affected by this vulnerability.
To put it in simple terms: anyone can bypass an account’s Authy two-factor SMS authentication by simply typing “../SMS” in the token field, instead of the SMS code. It doesn’t take much skill once you know the weakness found in Authy’s API calls, and the path_traversal module vulnerability was originally patched on February 8th of 2015.
Coinbase Uses Authy
Popular Bitcoin exchange platform Coinbase uses both Authy and Google Authenticator for two-factor authentication. Luckily for Bitcoin users, the Authy vulnerability has been fixed already, and this trick no longer works. But it just goes to show you how vulnerable these login systems really are when relying on third-party API calls.
It will be interesting to see how these kind of vulnerabilities will impact Bitcoin-related platforms in the future.