Security As A Coffin

On Thursday, Sakurity published an exploit on their blog regarding Authy's SMS 2-Factor Authentication API. The bug allows for an attacker to bypass the now notorious 2FA window with the string

../sms

Coinbase is one of Authy's customers, who claims to "take careful measures to ensure that your bitcoin is as safe as possible." The bitcoin webwallet provider has been a vocal advocate of 2FA, popularizing it to the point of Gavin proposing its inclusion in Bitcoin Core.

Authy runs on Sinatra, a Ruby web framework using Rack as a middleware layer between the app and the web server. Sinatra uses Rack Protection by default which was the vector of attack for this particular attack described by Sakurity:

The attacker types ../sms in the SMS token field

The client app encodes it as ..%2fsms and makes an API call to Authy – https://api.authy.com/protected/json/verify/..%2fsms/authy_id

Path_traversal middleware decodes path to https://api.authy.com/protected/json/verify/../sms/authy_id, splits by slashes and removes the directory in front of /…

Actual Authy API sees modified path https://api.authy.com/protected/json/sms/authy_id, simply sends another SMS to authy_id (the victim) and responds with 200 status and {"success":true,"message":"SMS token was sent","cellphone":"+1-XXX-XXX-XX85"}

All Authy SDK libraries consider 200 status as a successful response and let the attacker in. Even a custom integration most likely will look for "success":true in the JSON body, and our /sms response body has it. So the only secure way to verify the response is to search for "token":"is valid" substring (which is what Authy libraries do now)

Encryption as a Service is becoming popularized in Bitcoin. Services such as BitGo are being used instead of experienced internal security teams, to ease the burden. Developers claim by outsourcing security, they are able to focus on "what matters" in the business rather than focusing on something in which they are inexperienced. It would seem that security should be the primary and critical concern of any Bitcoin business handling user funds in some capacity.

3 thoughts on “Security As A Coffin

  1. Clearly any company that claims anything but security as their bread and butter is an Internet css-ing company and not a Bitcoin company.

    Nice article.

  2. Authy is a joke. Today I saw that Betmoose is using Clef as login option.

  3. Good night fucking Irene!

Leave a Reply to Mircea Popescu Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>