Netflix recently fixed an account takeover vulnerability involving automated phone calls and caller ID spoofing. The issue? An attacker could use Netflix’s “forgot email/password” feature to reset an account’s password by directing the reset code to a voice call. In order to force the code to voice mail, the attacker would need to call the account holder’s phone at the same time, and then, the code could be retrieved from the account holder’s voicemail via caller ID spoofing (which something that many operators are vulnerable to even though it’s 2016).
Netflix has now adjusted its system to wait for input before providing the reset code. No input, no code. So nothing just rolls into voicemail anymore.
Waiting for input is how Microsoft’s Office sign in works with its “call me” verification.
The automated call agent prompts the account holder to input the pound/hash/number sign (#), and then, once the recipient does so, the sign in is completed.
And then… there’s an organization which was recently in the news because hundreds of millions of account passwords were compromised. Yahoo!
Unfortunately, Yahoo’s multi-factor authentication “call with the code” feature is not interactive. It just calls with a one-time code. And so, Yahoo currently suffers from the same vulnerability as Netflix did. An attacker can force such codes to voicemail. And as there are so many compromised passwords in-the-wild… this is a problem.
Here’s a demonstration that Andy and I recorded.
Via Twitter.
Embedded audio.