Twitter’s two-factor authentication can be abused, researchers say - lesherporwhou

Twitter's SMS-based, two-factor hallmark feature could equal ill-treated to lock users who Don River't let it enabled out of their accounts if attackers hit access to their log-in credentials, according to researchers from Finnish antivirus vendor F-Secure.

Chirrup introduced cardinal-factor authentication last week as an optional security feature in order to make it harder for attackers to hijack users' accounts even if they manage to steal away their usernames and passwords. If enabled, the feature introduces a second authentication cistron in the form of hidden codes sent via SMS.

Reported to Sean Louis Sullivan, a security advisor at F-Secure, attackers could really abuse this feature in order to prolong their unauthorized access code to those accounts that don't bear ii-factor out authentication enabled. The researcher first delineate the subject Friday in a blog post.

An assaulter who steals someone's lumber-in certificate, via phishing OR some other method, could fellow a prepaid phone number with that someone's account and then sex two-gene certification, Sullivan aforesaid Monday. If that happens, the real owner won't be able to recover the account away simply performing a password readjust, and will undergo to contact Twitter reinforcement, he said.

This is possible because Twitter doesn't use any additional method to swan that whoever has access to an account via Twitter's website is also authorized to enable ii-constituent certification.

When the two-factor in authentication selection called "Account Security" is first enabled on the write u settings page, the site asks users if they successfully received a test subject matter sent to their phone. Users butt simply click "yes," even if they didn't receive the content, Louis Henri Sullivan said.

Instead, Twitter should send a ratification relate to the email address connected with the news report for the history owner to click in say to sustain that deuce-gene assay-mark should be enabled, Ed Sullivan aforementioned.

As it is, the researcher is afraid that this boast could equal abused past determined attackers like the Asian country Lepton Army, a hacker aggroup that recently hijacked the Twitter accounts of several news organizations, in rank to prolong their unauthorized access to compromised accounts.

Some security researchers already expressed their belief that Twitter's two-factor authentication sport in its current implementation is impractical for news organizations and companies with geographically spread social media teams, where different employees have access to the same Twitter account and cannot share a one earpiece numerate for authentication.

Twitter did not immediately respond to a request for notice sent Monday regarding the issue described away Edward Vincent Sullivan.

Twitter probably rushed to get this feature impossible and didn't fully consider all of its aspects, Sullivan said. Nonetheless, this is likely just the opening and the troupe will eventually have a solid implementation, He aforementioned.

Source: https://www.pcworld.com/article/452076/twitters-two-factor-authentication-can-be-abused-researchers-say.html

Posted by: lesherporwhou.blogspot.com

Share this post