Yahoo! Voice Call 2FA Fail

Netflix recently fixed an account takeover vulnerability involving automated phone calls and caller ID spoofing. The issue? An attacker could use Netflix’s “forgot email/password” feature to reset an account’s password by directing the reset code to a voice call. In order to force the code to voice mail, the attacker would need to call the account holder’s phone at the same time, and then, the code could be retrieved from the account holder’s voicemail via caller ID spoofing (which something that many operators are vulnerable to even though it’s 2016).

Netflix: Forgot Email/Password

Netflix: Forgot Email/Password

Netflix has now adjusted its system to wait for input before providing the reset code. No input, no code. So nothing just rolls into voicemail anymore.

Waiting for input is how Microsoft’s Office sign in works with its “call me” verification.

Office 365 MFA Options

Microsoft Office Sign In

The automated call agent prompts the account holder to input the pound/hash/number sign (#), and then, once the recipient does so, the sign in is completed.

And then… there’s an organization which was recently in the news because hundreds of millions of account passwords were compromised. Yahoo!

Yahoo! MFA Options

“Call with the code”

Unfortunately, Yahoo’s multi-factor authentication “call with the code” feature is not interactive. It just calls with a one-time code. And so, Yahoo currently suffers from the same vulnerability as Netflix did. An attacker can force such codes to voicemail. And as there are so many compromised passwords in-the-wild… this is a problem.

Here’s a demonstration that Andy and I recorded.

Via Twitter.

Embedded audio.



Articles with similar Tags