'hacked'. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.
this post was submitted on 05 Jul 2024
208 points (99.1% liked)
Technology
59555 readers
3343 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
Yeah. They got data in a way that was not intended. That's a hack. It's not always about subverting something by clickity-clacking like in the movies.
Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.
It's the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn't (SQL injections, etc) -- the other, is using the system exactly as it was programmed.
Downloading videos from YouTube isn't "Hacking" YouTube. Even though it's using the API in a way it wasn't intended. Right-clicking a webpage and viewing the source code isn't hacking - even if the website you're looking at doesn't want you looking at the source.
Exploiting is hacking, quit being pedantic.
load more comments
(6 replies)
load more comments
(11 replies)
That's what most exploit-based hacks are. A developer makes a dumb mistake and then someone exploits it to do something they shouldn't be able to do.
load more comments
(1 replies)
Companies need to stop using Authy. It's stupid and pointless when we have a open alternative such as the one used by Google Authenticator or Aegis.
I started using Authy instead of GA because every time I changed the ROM on my phone I would lose all codes, because I would forget every time.
Use aegis, export the keys and then reimport them every time you switch. Trusting your second factor to a cloud is a disaster waiting to happen.
If you want to get fancy setup your own cloud server (nextcloud, Seafile, owncloud etc) and set the backup folder for aegis to the self hosted cloud for easy restore every time you switch ROMs.
This isn't about you and your silly follies
GA now backups your codes in your Google account, so this doesn't happen anymore.
load more comments
(2 replies)
Call my job and tell them this please. I have to use this shite everyday and it sucks.
load more comments
(1 replies)
Red Shazam
Wow, it's literally the shazam logo, flipped horizontally and red.
Wonder who got paid to make that logo?
Does anyone have a suggested alternative for authy?
I'd love to go with an open source solution as I've done with my password manager, but that doesn't seem possible with one of my big requirements:
Scenario: I've had my phone robbed abroad and managed to buy a new one and loaded my ESIM back into it—I need to recover access to my 2 factor database via SMS so I'm able to log into my cloud storage and access my password database.
At this point I'd probably be happy to host a service myself on something like AWS and use SNS for this requirement, but I'm not sure anything like that exists ready to go. I'm not particularly interested in rolling something myself for this.
I'd be dubious of jumping from one closed source product to another, but if there's a particularly good option I'm all ears, I've been otherwise happy with authy for about a decade now, but this plus the retirement of the desktop app have me looking elsewhere.
I use Aegis, which I periodically back up manually off phone.
(reposted from another comment mentioning aegis)
Interesting, I've seen this one before but it didn't seem like it would support my deal-breaker scenario—I still can't seem to see support for that on the readme, could you point me at some docs?
I think the suggestion here is to back up Aegis. I do something similar using Aegis + SyncThing.
I have a folder on my phone that is synced with my PC. Every so often, I will back up Aegis to that folder, and then it automatically syncs to PC.
Oh, in that case it's not quite equivalent, because my cloud storage is protected by the two factor code stored in my Authy OTP database.
I would still need to access the OTP database before I could access the cloud storage, which is where it would be stored in this scenario.
Forget your existing cloud. Your 2FA backup doesn't need to be protected by 2FA; just encryption and a strong/unique passphrase. Your 2FA backup can't be used to access any account on its own, without each password. Most OSS E2EE services allow you to create a free account; many without an email. Pick 2 for redundancy, create a NEW account, and set a NEW passphrase (like your 2nd "master" password). Before you transit upload your OTP backup to both of them.
This approach is probably more secure than SMS to access 2FA, especially vs a closed source provider like Authy, and especially if your 2FA export is also encrypted with a different password. If you're already using a password manager and unique passwords for everything, you're already 95% more secure than everyone else, and removed the primary need for 2FA (password reuse and theft). If you're doing everything else right, 2FA only makes you 5-10% more secure, and covers far less-likely threats (email takeover, MITM, etc). Sys admins have been raw dogging SSH and PGP keys every day without a 2nd factor, for decades.
load more comments
(1 replies)
Bitwarden has 2FA built in, and you can host it yourself if you want.
load more comments
(6 replies)
Aegis is often recommended as an open source solution : https://github.com/beemdevelopment/Aegis
Interesting, I've seen this one before but it didn't seem like it would support my deal-breaker scenario—I still can't seem to see support for that on the readme, could you point me at some docs?
The point is you physically and locally back up the database. Put it on your computer, or a flash drive or whatever. You can set a different, longer password for backups, and I would recommend you do that. When you get your new phone, you just copy the database into it and load it into a freshly installed Aegis. You don't even need to self host anything, there is nothing to host.
Not everything needs to be "in the cloud". I think this event illustrates nicely why.
load more comments
(6 replies)
If you're talking about being able to regain access with no local backups (even just a USB key sewn into your clothing) your going to need to think carefully about the implications if someone else gets hold of your phone, or hijacks your number. Anything you can do to recover from the scenario is a way an attacker can gain access. Attempting to secure this via SMS is going to ne woefully insecure.
That being said, there are a couple of approaches you could consider. One option is to put an encrypted backup on an sftp server or similar and remember the login and passwords, another would be to have a trusted party, say a family member or very close friend, hold the emergency codes for access to your authentication account or backup site.
Storing a backup somewhere is a reasonable approach if you are careful about how you secure it and consider if it meets your threat model. The backup doesn't need to contain all your credentials, just enough to regain access to your actual password vault, so it doesn't need to be updated often, unless that access changes.
I would suggest either an export from your authentication app, a copy of the emergency codes, or a text file with the relevant details. Encrypt this with gpg symmetric encryption so you don't have to worry about a key file, and use a long, complex, but reconstructable passphrase. By this I mean a passphrase you remember how to derive, rather than trying to remember a high entropy string directly, so something like the second letter of each word of a phrase that means something to you, a series of digits that are relevant to you, maybe the digits from your first friend's address or something similarly pseudo random, then another phrase. The result is long enough to have enough entropy to be secure, and you'll remember how to generate it more readily than remembering the phrase itself. It needs to be strong as once an adversary has a copy of the file they jave as long as they want to decrypt it. Once encrypted, upload it to a reliable storage location that you can access with just a username and password. Now you need to memorize the storage location, username, password and decryption passphrase generator, but you can recover even to a new phone.
The second option is to generate the emergency, or backup, codes to your authentication account, or the storage you sync it to, and have someone you trust keep them, only to be revealed if you contact them and they're sure it's you. To be more secure, split each code into two halves and have each held by a different person.
I have similar requirements to you and honestly the best solution I could find was Microsoft Authenticator. I know Microsoft bad etc, but if you already have a Microsoft account anyway you can back up all your 2fa codes to your iCloud or Google account. If anyone knows of an open source alternative I’d be interested, but the ability to recover my accounts is more important than using something open source
I highly recommend 1Password. It's cross platform, including Linux, and it's not only a great and sort l super secure password manager, but it also does 2FA codes and if you use their auto fill tool, it will also paste the 2FA code to clipboard so you can paste it in seamlessly.
Everything is full encrypted and needs a really long, unique to you, key to decrypt. So no one will be hacking this anytime soon. Even 1Password cannot open your vault.
load more comments
(4 replies)
welp
Why does it require a phone number to use?!
They wanted to let companies pay for a non standard 2fa code generation tied to the phone number as it was easier than the mainstream option that was the almost abandoned google authenticator that didn't allow backups.
Cloudflare, humble bundle used that scheme and I hated them for that. Seems that now that plan failed and essentially now authy is a money-losing operation for twilio and this shows on the unsecured API access that allowed the hack
load more comments
(2 replies)
Stop. Trusting. Cloud/SAAS. Security. Apps.
Don't give them your passwords and private keys, because you can never know of they're being stored responsibly, or who has access to them.
Don't give them your personal details, they don't care about protecting user anonymity.
Keep your keys and passwords in local, encrypted files, and generate your TOTPs locally.
"But that's not convenient!" - It's plenty convenient, find an app that supports your phone's biometrics. There are plenty on both Android and iPhone that also work in Windows/MacOS/Linux.
"What if I lose my phone?" - Keep your files backed up. If you don't do this, you deserve to get locked out. Fear of losing data is a good thing, it keeps you vigilant. Apathy gets you another of these stories.
There are plenty of apps that encrypt local storage for security keys and code generation. Stop allowing these tech bros to create honeypots, and making you pay them for the privilege of being an easy target.
"What if I lose my phone?"
I've referenced this scenario in a comment elsewhere in the thread. You've missed the problem in your solution.
A backup is useless if I can't access it when I need to. In the scenario where I'm far from home and have only got a replacement phone to work with, I need a way to access my OTP database (with only my phone number as a 2nd factor, thanks to ESIM provisioning) so I can get to my cloud storage for my password database.
This is a real scenario that doesn't seem covered by most options and people seem to keep glossing over it (And before anyone says that's not likely, I've been in that exact scenario before)
Who said you shouldn't be able to access your backups remotely?
A lot of tools allow you to set up google drive, drop box, whatever. Yes, this brings you back to cloud, but it's better to have a hacker wonder if some random google drive might have juicy auth data than know for sure that some SaaS platform absolutely does. Also, even if they got the file, it should be encrypted, and should be a massive pain to get into (at least long enough to change the passwords stored in the file).
The other (better) option is to have it back up to sftp (or similar), which you manage yourself on private servers. Normally this would be accessed through RSA and/or TOTP, but you can set up secure backup methods (combo any/all of; port knocking, long-password, human-knowable timed password, biometrics, security questions, other trusted humans that have some TOTP that can't open your storage alone, etc).
Right, I get that and that would 100% be part of the solution, but I'm not going to have my cloud storage protected only by a single factor.
Specifically I've kinda happily landed on Authy's SMS being the 2nd factor in that scenario (and that scenario alone as it's generally one of the worst 2nd factors) because I know I can get my ESIM reprovisioned with a phone call to my provider. Plus Authy won't just give me access with an SMS alone, there are verification steps before they will let me access it, which adds piece of mind given the reduced security of an SMS OTP.
I'm not interested in cobbling together my own "secure" solution, I would happily host something ready to go (seems like bitwarden might be a front runner here), but I'm not going to trust my glue is perfect if I've had to do much more than pull a container and set-up a reverse proxy. I cannot guarantee I have the time to patch vulnerabilities manually, etc.
load more comments
(1 replies)
I left Authy a couple of years ago when I realized that I can own my own data. I use KeepassXC. For sync, just syncthing. Both free and I 100 % control of it.
Any online password manager is in my opinion is stupid as it will sooner or later get hacked - info leak. Some may not even apply zero-knowledge about the passwords.
load more comments
(1 replies)
Now that authy has fucked us over with this, what should I move my 2fa codes into, any recommendations?
Unfortunately I can't use aegis on iOS/windows, does keepass have this functionality?
These are not local solutions, but are cross-platform and open source: Bitwarden or Proton Pass.
load more comments
(2 replies)
USB keys. Good luck getting one of those hacked.
load more comments
(7 replies)
lol. I am glad I became privacy conscious before this happened.
view more: next ›