Attackers could maintain access after a password change
Security researcher Luke Berner has released a blog post detailing how he was able to abuse 2FA methods used by major platforms including Google Mail, Microsoft, and Instagram.
Berner first discovered the bug in Google.
When logging in from a new device, Google requests a user to authenticate themselves with a 2FA code.
While still in the process of completing 2FA, Berner changed the account password in another browsing window.
This should force all sessions to become inactive, however, after waiting 10-15 minutes, Berner was able to enter the 2FA code into the original page and gain access.
Writing in the blog post, he said: “After some weeks of slowly testing different scenarios (to be honest, I thought it was a dead-end) I found out a way of bypassing session expiration: if you went to ‘Try another way’ in the 2FA input page, chose 2FA as a method again (funny, right?) your session was renewed, and you had another 20 minutes to go. Automated this test, made a PoC, waited for +2 hours and it still worked.
“But this was not the best part. Poking around the options available and all the possible flows, I tried all this process again but, in the middle, turned off 2FA. Being in the 2FA input page, the code should not work if 2FA is off, right? Well, wrong. The 2FA code was working even when the 2FA option was off!”
This bug could mean that an attacker could log into an account, say with credentials taken from a data leak, enable 2FA, wait in the 2FA page in another browser, and disable it.
The victim would then change their password, but later the attacker could input the valid 2FA code and again access the account, without knowing the new password.
Google confirmed the bug and fixed the issue, awarding Berner a bounty for his find.
Both Microsoft and Instagram acknowledged his findings, but labeled it as “working as intended”.
Notably, the attacker would have to know the password in the first instance, narrowing the risk of exploitation.
Some researchers online dismissed the bug as being ‘not very useful in the wild’, however as Twitter user @knowisy pointed out: “The point is that this bug sabotages proper recovery from take over (and password change). So, for me this is valid.”