By Lawrence Abrams @LawrenceAbrams - February 9, 2023 Reddit: We had a security incident. Here’s what we know.
It's basically the same method that got many other companies also hacked. So it's perhaps indeed time that we got rid of the password and phishable 2FA methods. And I have to say that it's very disappointing that apparently browsers can't easily identify fake websites. Wasn't Google Safe Browsing supposed to take care of this?
2FA cant be phished. if someone want to login on reddit where 2fa has been set there is NO way to gain access on that account. thats why it is so important not to perfom 2fa on the same device as you asked before.
What do you mean that 2FA can't be phished? This is actually the main reason why so many companies got hacked in the last few years. If you fill in your username, password and 2FA code into a fake website, the hackers get access to your account, it's really that simple. The problem is that authentication apps (Authy, Google, Microsoft Authenticator) that produce these 2FA codes, aren't resistant against phishing, while stuff like YubiKey and Passkeys are.
Reddit claimed to have been hacked by BlackCat, and it has threatened to leak the data [Update] https://www.neowin.net/news/reddit-...ckcat-and-it-has-threatened-to-leak-the-data/
That seems to be reddit's policy lately, no response, no attempts. Besides reddit has not lost any data, users did, reddit still has access to them and can monetize them, so no loss for them.
What about brand damage? Then again, their CEO does not seem to care about that at all (considering how he's handling the third-party API changes).
Rasheed, can you expand on that? What makes the former vulnerable and the latter resistant? I'm trying to picture how the process works. I'm guessing: user falls victim to fake login page, enters username/password; fake 2FA page asks for code; behind the scenes login credentials are used, but if 2FA is triggered, user should(?) get notified however their 2FA is set up (email, SMS, ...)? Ahhh, is it because using something like Auth/Google Authenticator doesn't actually notify the user, it just generates a code? I can see how that could then be passed behind the scenes to the real login process... I'm unfamiliar with using passkeys.
A bit of a late reply, but the problem with authenticator apps is that they don't check whether you are trying to login on the legitimate page. So with Yubikey and the upcoming Passkeys this problem is solved. They will only allow you to login the legitimate website, so a phishing website won't do any good. In my view, it would be cool if authenticator apps only generated a one time password/code when it was asked to do so, by a request from the legitimate website. I guess this is a bit like push based 2FA, which of course also isn't foolproof when people get bombarded by login messages triggered by the hacker, but then we're talking about ''man in the middle'' atacks, if I'm correct. https://blog.identityautomation.com/two-factor-authentication-2fa-explained-push-notifications
2FA does not mean to get bombed with login messages. in special on android the auth apps generate a 6 digit code which changes after 30 seconds. user need to enter the digits on the webpage which sometimes have a timeout, but thats not important. the 2FA account is registered with the same email as the service behind, thats mandatory. and its setup has to be confirmed. so there exist no option when 2FA was established that another person could simply enter the mail address in his up because it will never be confirmed - thus not usable means not hackable this way. the ms authentificator can handle 2FA several ways. when logging in my phone automatically returns a valid string, with the latest change for my account i need to enter an additional number to verify. anyhow the article is no 5 years old and only scratching a little bit. since then a lot has changed and improved. not very reliable.
It doesn’t have to be, but it definitely can be. The use of 6 digits codes you describe is known as TOTP, which is a 2FA variant, but not the only one. In case of 2FA via push notifications “MFA fatigue” is indeed a technique used by hackers: https://www.bleepingcomputer.com/ne...new-favorite-tactic-in-high-profile-breaches/
I was talking about that hackers who already know your username and password can simply redirect you to a fake website. So this means that you type in your 2FA code on this fake website, and they can login to your webmail account for example. So that's why TOTP based authentication apps aren't that great, they don't verify if you're on the legitimate website. At least with SMS based 2FA, you only get a TOTP that is triggered when someone tries to login to the legitimate site, since only this website can trigger the SMS. So if you receive a code on your device, and you didn't try to login, you already know there is something strange going on. I believe push based 2FA works the same, but it's tricky because the user only needs to approve. Yes exactly, this is what I meant.
BTW, I came across this article. But once again I have to say that the problem is that authentication apps don't communicate with the servers as seen in the picture. That's why I was confused in some other thread, I always assumed they did. See links. https://www.wilderssecurity.com/thr...eting-internet-companies.446565/#post-3101008 https://www.wilderssecurity.com/thr...eting-internet-companies.446565/#post-3101044 So if the server of a legitimate website like mail.yahoo.com asks you for the 2FA code (like SMS based 2FA), only then the device with the authenticator app could generate the code. Which would mean that on a fake website you would never be asked for a code because they don't know the secret. Which also means that phishing via a fake website wouldn't work. So I wonder if this isn't a big design mistake of current authenticators like Authy and Google/MS Authenticator. https://www.keepersecurity.com/blog/2023/07/20/what-are-authenticator-apps-and-how-do-they-work/
