Categories: News

Coinbase Was Vulnerable to Authy 2FA Exploit

The woes and tribulations in the Bitcoin world are far from over, despite more and more positive news making headlines all across the world. Authy, a two-factor authentication protocol used by several Bitcoin platforms – including the Bitcoin exchange Coinbase – is prone to a bypass attack which could give unauthorized parties access to your account.

Authy URL Encoding Vulnerable

When it comes to giving users the option of adding extra layers of security to their account, two-factor authentication is one of the most widely used solutions. Several companies are providing 2FA security solutions, such as Google, YubiKey, MePIN and Authy, to name a few. And we always assumed that 2FA could not be bypassed that easily, but apparently we were wrong.

There are several problems going on with the Authy two-factor authentication system, which can also impact users of Bitcoin exchange Coinbase. As an attacker can bypass your Authy 2FA SMS verification quite easily, unauthorized access to your account is bound to happen at some point. But why is Authy so vulnerable?

Authy does not encode the token from user parameters. Because of this major security flaw, Authy’s API calls would let an attacker access someone else’s account after overwriting the path to where the user token should be sent. Everything after the “#” symbol is ignored, effectively letting anyone bypass SMS two-factor authentication.

Note from the Author: It is impossible for Authy to verify whether the request is legitimate or not on the server side.

Authy-python is not as secure as everyone believed it to be either. In fact, it might be even easier to bypass Authy’s SMS two-factor authentication completely. Because Authy-Python allows for path traversal, an attack would only need to add “../SMS” to turn the /verify API call into an “Authentication 200” status, and effectively access the account unauthorized.

Related Post

URL encoding is futile. Authy uses Sinatra, which uses rack-protection by default. The path_traversal module in rack-protection decodes “%2F” to slashes, instead of a space. Needless to say, any API using Sinatra’s rack-protection is affected by this vulnerability.

To put it in simple terms: anyone can bypass an account’s Authy two-factor SMS authentication by simply typing “../SMS” in the token field, instead of the SMS code. It doesn’t take much skill once you know the weakness found in Authy’s API calls, and the path_traversal module vulnerability was originally patched on February 8th of 2015.

Coinbase Uses Authy

Popular Bitcoin exchange platform Coinbase uses both Authy and Google Authenticator for two-factor authentication. Luckily for Bitcoin users, the Authy vulnerability has been fixed already, and this trick no longer works. But it just goes to show you how vulnerable these login systems really are when relying on third-party API calls.

It will be interesting to see how these kind of vulnerabilities will impact Bitcoin-related platforms in the future.

Source : http://sakurity.com/blog/2015/03/15/authy_bypass.html/

 

JP Buntinx

JP Buntinx is a FinTech and Bitcoin enthusiast living in Belgium. His passion for finance and technology made him one of the world's leading freelance Bitcoin writers, and he aims to achieve the same level of respect in the FinTech sector.

Share
Published by
JP Buntinx

Recent Posts

Best Altcoins to Invest in Today: Qubetics Sets the Stage for Blockchain’s Future as Bitcoin Hits $108K and Litecoin Soars

The cryptocurrency world has always been a hotbed of innovation, attracting both seasoned investors and…

45 mins ago

Dogecoin Millionaire Predicts This Undervalued Altcoin Could Match DOGE’s 2021 Gains

Dogecoin's 2021 rally was a historic one, turning ordinary investors into overnight millionaires. This magnificent…

1 hour ago

Qubetics Presale Skyrockets to $7.5M as XRP and Arbitrum Lead Best Altcoins for Exponential Returns

The crypto market is always evolving, with big names like Bitcoin and Ethereum leading the…

2 hours ago

Over 300K Users Actively Mine Crypto On BlockDAG’s X1 Miner App While BNB Bulls Eye $3K; What’s XRP’s Price Target?

The crypto market is ablaze with excitement as altcoins like XRP and BNB make major…

2 hours ago

Best Crypto Presale To Buy Now: Rollblock Delivers For Holders With New License, Record Sign Ups and 7000+ Games

Rollblock is quickly becoming the best crypto presale to buy, delivering unmatched value for its…

6 hours ago

Polkadot And Uniswap Gearing For Post-Christmas Jump As Rollblock Raises $7.4 Million in Presale

While Rollblock's continues its crypto presale, with its value increasing regularly, Polkadot (DOT) and Uniswap…

7 hours ago