Google Apps Security Beat By CloudFlare Hackers

  /     /     /  
Publicated : 22/11/2024   Category : security


Google Apps Security Beat By CloudFlare Hackers


Googles Gmail password recovery routine allowed two-factor authentication to be bypassed.



New Chromebook: A Visual Tour (click image for larger view and for slideshow)
CloudFlare
describes itself as a service that protects and accelerates any website, but even a company focused on security can be hacked. Last week, the company and its customer 4Chan, the infamous message board, was attacked by hacking group UGNazi.
While the hack was in place, visitors to 4Chan were redirected to a UGNazi Twitter account. The FBI last week reportedly arrested a hacker known as Cosmo, said to be the leader of the group, for the groups alleged involvement in the
breach of billing company WHMCS
last month.
One of the hacking groups
Twitter accounts
offers this response: You cant arrest an idea. In
a statement
posted to Pastebin, UGNazi said 4Chan had been attacked for failing to adequately police pedophile content and discussions.
CloudFlare has decided to disclose as many details of the incident as possible to make its customers and the Internet community aware of potential vulnerabilities, CEO Matthew Prince said in a phone interview. He declined to comment on whether his company is working with law enforcement to investigate the attack, but given that UGNazi already has the attention of the FBI, such cooperation can be assumed.
On Friday, Prince published
details of the attack
. The incident is particularly troubling because the hacker managed to bypass two-factor authentication on CloudFlares Google Apps For Business account through a flaw in the account recovery process.
Two-factor authentication for Google Apps requires that a user logs in with a password and also with a special access code, generated by a mobile phone app, or obtained from a pre-generated list. But the account recovery process for Google Apps omitted the access code requirement in certain circumstances.
If an administrator account that was configured to send password reset instructions to a registered secondary email address was successfully recovered, 2-step verification would have been disabled in the process, a Google spokesperson explained in an emailed statement. This could have led to abuse if their secondary email account was compromised through some other means. We resolved the issue last week to prevent further abuse.
[ Read
5 Flame Security Lessons For SMBs
. ]
The secondary email account that was compromised happened to be Princes personal Gmail account. Prince said that when CloudFlare established its Google Apps email address, he listed his own personal email address as a recovery address for CloudFlare Google Apps account. This allowed the hacker to abuse Googles password recovery process to have password reset information sent to Princes personal account.
With the password reset information, the hacker was able to access CloudFlares Google Apps administrative panel to initiate a separate password reset request for 4Chans CloudFlare account. The hacker then changed the DNS settings for the 4Chan website, temporarily redirecting visitors to a UGNazi Twitter account.
Prince said that no other CloudFlare customers have been affected, though a review of the compromised email accounts revealed the presence of a number of customers CloudFlare API keys. These keys have been changed to prevent abuse, which will require customers using software that requires an API key, like the CloudFlare WordPress plugin, to enter a new API key.
None of this would have happened had the hacker not first gained access to Princes personal Gmail account, where the CloudFlare Google Apps accounts password reset information was sent. Prince on Monday said that as a result of working with Google to investigate the incident, he now believes that the hacker compromised AT&Ts voicemail system--either through social engineering or an undisclosed vulnerability--and redirected calls to his number to a new voicemail box. This allowed the hacker to obtain the Gmail account recovery code sent to the hacked voicemail box.
The upshot is that if an attacker knows your phone number and your phone number is listed as a possible recovery method for your Google account then, at best, your Google account may only be as secure as your voicemail PIN, he wrote. In this case, we believe AT&T was compromised, potentially through social engineering of their support staff, allowing the hacker to bypass even the security of the PIN.
Prince became aware that his personal Gmail account had been compromised within minutes of the unauthorized access. The hacker gained access to his account about 11:39am PT on Friday and two minutes later Prince received an email in his linked CloudFlare account stating that the password of his personal Gmail account had been reset. Thereafter, Prince and the hacker battled for control of the account, each trying to reset the account password. This happened 10 times in the space of 15 minutes, according to Prince, until the hacker succeeded in removing Princes mobile phone and email address from the account recovery process.
Prince suggests that Google should consider adding additional controls to limit the removal of recovery email addresses following password resets. At the same time, he stresses that Googles security team was responsive and attentive to the incident and deserves praise for its handling of the situation.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Apps Security Beat By CloudFlare Hackers