There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
-
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
No rate limiting? No lockout or cooldown after n failures?
Or just let 'em rip at one guess every 30ms?
-
R relay@relay.mycrowd.ca shared this topic
-
@dangoodin It's doable. And it happens. Set enough automated systems to work at it and it can succeed enough to be profitable, just like spam. Low percentage success doesn't mean they don't do it.
@lauren@mastodon.laurenweinstein.org it reminds me of AuthQuake:
The vulnerability identified by Oasis, at its core, concerns a lack of rate limit and an extended time interval when providing and validating these one-time codes, thereby allowing a malicious actor to rapidly spawn new sessions and enumerate all possible permutations of the code (i.e., one million) without even alerting the victim about the failed login attempts.
-
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
@dangoodin This assumes TOTP was the method of 2FA, but let’s go with that and assume it was in use. What if this was really a credential stuffing attack where the threat actor already had a password fro another compromised service. So knowing that some people (I’m being kind) use the same password on multiple accounts they start feeding those passwords to another service. When they get an unlock, they can the try a traditional brute force. Or, they can be smart and use email account passwords. Then they could tell Dashlane “nope, don’t have my authenticator app” and ask for verification by another means. Does anyone know if Dashlane’s default account recovery method is email? I hope to god it isn’t SMS.
-
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
@dangoodin the "MFA" thing is misleading. Registering a device ONLY requires the email address & a 6-digit numeric "OTP" (e.g. TOTP or OTP via email iirc) which they call "2FA/MFA". Afterwards you can then access the vault "offline", see 4.1.2 here: https://support.dashlane.com/hc/en-us/articles/32877433567634-4-Credential-security-in-detail
Not quite sure what "brute force" means here. For non-TOTP this could be an issue with OTP lifetime? For TOTP this could just be "randomly trying with a 1 in 100000 chance untl you get lucky a few times"?
It's a baffling decision & there is a reason other password managers don't just require an OTP to access the vault. It's also terrible communication imo.
-
No rate limiting? No lockout or cooldown after n failures?
Or just let 'em rip at one guess every 30ms?
@bradr @dangoodin Rate limiting is hard to do well. If you apply it per client IP, then a big botnet can all guess in parallel. If you apply it per account, then an attacker in one place can lock out the legitimate user wherever they are.
-
Right, but to brute force 2FA, don't you first have to break the first authentication factor? That would mean the number of accounts you can brute force is limited to only those you have already compromised.
@dangoodin @cibyr yeah this type of multi user attack doesn't really make much sense, you still only get one try per request. A second factor is usually six decimal digits, meaning the attacker has a one in a million chance of outright guessing it. Usually rate limiting should kick in before anything gets broken.
-
@dangoodin the "MFA" thing is misleading. Registering a device ONLY requires the email address & a 6-digit numeric "OTP" (e.g. TOTP or OTP via email iirc) which they call "2FA/MFA". Afterwards you can then access the vault "offline", see 4.1.2 here: https://support.dashlane.com/hc/en-us/articles/32877433567634-4-Credential-security-in-detail
Not quite sure what "brute force" means here. For non-TOTP this could be an issue with OTP lifetime? For TOTP this could just be "randomly trying with a 1 in 100000 chance untl you get lucky a few times"?
It's a baffling decision & there is a reason other password managers don't just require an OTP to access the vault. It's also terrible communication imo.
@nyanbinary @dangoodin Wait, what? A username and a one-time code of some type is all you need to download the vault for offline attack? And it sounds they don’t invalidate the last email OTP when a new one is sent? That seems deeply flawed.
-
@nyanbinary @dangoodin Wait, what? A username and a one-time code of some type is all you need to download the vault for offline attack? And it sounds they don’t invalidate the last email OTP when a new one is sent? That seems deeply flawed.
@bob_zim @dangoodin I dont know about the lifetime of email OTPs, I didn't test with those ftr
-
@dangoodin This assumes TOTP was the method of 2FA, but let’s go with that and assume it was in use. What if this was really a credential stuffing attack where the threat actor already had a password fro another compromised service. So knowing that some people (I’m being kind) use the same password on multiple accounts they start feeding those passwords to another service. When they get an unlock, they can the try a traditional brute force. Or, they can be smart and use email account passwords. Then they could tell Dashlane “nope, don’t have my authenticator app” and ask for verification by another means. Does anyone know if Dashlane’s default account recovery method is email? I hope to god it isn’t SMS.
@Spartan_1986 @dangoodin or maybe the credential stuffing also succeeded on the victim’s online e-mail account and the 2fa method was a code by e-mail
-
@dangoodin @cibyr yeah this type of multi user attack doesn't really make much sense, you still only get one try per request. A second factor is usually six decimal digits, meaning the attacker has a one in a million chance of outright guessing it. Usually rate limiting should kick in before anything gets broken.
@sophieschmieg : *if* the second factor consist of 6 digits and regularly changes (TOTP: usually every thirty seconds), then it is typically worse than 1 in a million chance.
Because the client clock may be out of sync with the server clock, typically a time window larger than 30 seconds is used to increase fault tolerance.
I suggest you read https://www.oasis.security/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass.
I remembered that attack, but Pouyan (@i) had already referenced "AuthQuake" in an earlier toot (https://toot.pouyan.net/notice/B6xuBX6lzrGenpC74y) - but you may have missed that.
W.r.t. 2FA: if the server, after entering the user-ID and an incorrect password, responds with "wrong userID or password" - before asking for the 2FA code (or a timing difference reveals that the first factor is either wrong or correct), then the attacker's life gets a lot easier.
And if 2FA is reduced to 1FA in "device code" phishing attacks, even passkeys and FIDO2 hardware keys will not prevent account takeovers.
Also "password reset" mechanisms may have flaws (upto Instagram's AI assistent being easily convinced by fraudsters).
#TOTP #TimeWindow #RFC6238 #2FA #Weak2FA #MFA #WeakMFA #BruteForce
-
@dangoodin @cibyr yeah this type of multi user attack doesn't really make much sense, you still only get one try per request. A second factor is usually six decimal digits, meaning the attacker has a one in a million chance of outright guessing it. Usually rate limiting should kick in before anything gets broken.
@sophieschmieg @dangoodin @cibyr Unless the attacker has access to a botnet that can submit one guess from each of 10,000 zombies with unique IP addresses, dodging many rate limit strategies. Given only a hundred accounts, the likelihood of one success over a period of time is very high.
-
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
How about that it was an inside job and this is just the cover story?
