Now 2 step authentication are not safe, you guys will shock but its true. The attacker types ../sms in the SMS token field.
Sakurity researchers found the way to bypass the Authy 2 factor Authentication.
Here the details:>> The client app encodes it as ..%2fsms and makes an API call to Authy –https://api.authy.com/protected/json/verify/..%2fsms/authy_id
>> Path_traversal middleware decodes path to https://api.authy.com/protected/json/verify/../sms/authy_id,
splits by slashes and removes the directory in front of /…
splits by slashes and removes the directory in front of /…
>> Actual Authy API sees modified path https://api.authy.com/protected/json/sms/authy_id,
simply sends another SMS to authy_id (the victim) and responds with 200 status and{“success”:true,”message”:”SMS token was sent”,”cellphone”:”+1-XXX-XXX-XX85″}
simply sends another SMS to authy_id (the victim) and responds with 200 status and{“success”:true,”message”:”SMS token was sent”,”cellphone”:”+1-XXX-XXX-XX85″}
>> All Authy SDK libraries consider 200 status as a successful response and let the attacker in. Even a custom integration most likely will look for “success”:true in the JSON body, and our /sms response body has it. So the only secure way to verify the response is to search for “token”:”is valid” substring (which is what Authy libraries do now).
