There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
-
@dangoodin How many digits is the 2FA code which is sent? It's possible that these users had password, reuse issues and were relying on the 2FA to keep them safe. It's also possible for services to leak information about whether a password is valid or invalid, if it responds differently in some way, when a user enters a valid password, than an invalid one. Maybe the hackers were able to enumerate a list of users of the service in some way and then try passwords from known breaches.
@dangoodin Assuming they somehow did manage to hit upon correct username/passwords for a subset of the services users, it's then dependent on the service's implementation of rate limiting and other protection mechanisms in their 2FA to prevent the hacker getting in and stealing the user's info.
-
Yes, with more than 4,000 guesses in 40 seconds to be successful. That sounds possible, but also leaves a large margin for doubt.
@dangoodin It's doable. And it happens. Set enough automated systems to work at it and it can succeed enough to be profitable, just like spam. Low percentage success doesn't mean they don't do it.
-
@dangoodin Assuming they somehow did manage to hit upon correct username/passwords for a subset of the services users, it's then dependent on the service's implementation of rate limiting and other protection mechanisms in their 2FA to prevent the hacker getting in and stealing the user's info.
@dangoodin Imagine you have large botnet to throw out the problem of cracking the 2FA code. You've got basically got tens or hundreds of thousands of unique IP addresses all attempting logins with the correct username and password. If there's only minimal rate limiting on a per IP basis, maybe each of those IP's gets 10 guesses before being put in slow down mode. Or maybe you simply make the attempts at a fairly slow rate, but because of the size of your botnet, the overall gas rate is high.
-
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
@dangoodin it may only be 20 encrypted vaults but i reckon a lot more users affected. Because I'm one of them.
-
@dangoodin Imagine you have large botnet to throw out the problem of cracking the 2FA code. You've got basically got tens or hundreds of thousands of unique IP addresses all attempting logins with the correct username and password. If there's only minimal rate limiting on a per IP basis, maybe each of those IP's gets 10 guesses before being put in slow down mode. Or maybe you simply make the attempts at a fairly slow rate, but because of the size of your botnet, the overall gas rate is high.
@dangoodin So, you've got this big botnet slowly grinding away making guesses at a particular user's momentary 2FA code and apparently the service's real-time monitoring and logging isn't active enough to go "Oh, hello. This is weird. We've got 150k failed login attempts on this one username. Maybe we should do something about it."
-
@dangoodin you only need to try every option if you want to guarantee getting into a particular account. If you try a small number of codes against a large number of accounts, statistically some of them will match. And if that locks out the rest of the accounts, so be it...
@cibyr and that’s essentially a denial of service, so if you’re trying to hurt the company, job done
@dangoodin -
Yes, with more than 4,000 guesses in 40 seconds to be successful. That sounds possible, but also leaves a large margin for doubt.
@dangoodin the article states that they did automatically protect against high rates
-
R relay@relay.infosec.exchange shared this topic
-
@dangoodin the article states that they did automatically protect against high rates
@GuillaumeRossolini @dangoodin If you can't stuff it, and if it is a TOTP system, the only other likely possibilities involve issues like deeper implementation issues (e.g., more than one response will match, making the search space much smaller, etc.). Or there's something else going on entirely. Not enough info.
-
@dangoodin you only need to try every option if you want to guarantee getting into a particular account. If you try a small number of codes against a large number of accounts, statistically some of them will match. And if that locks out the rest of the accounts, so be it...
Right, but to brute force 2FA, don't you first have to break the first authentication factor? That would mean the number of accounts you can brute force is limited to only those you have already compromised.
-
@GuillaumeRossolini @dangoodin If you can't stuff it, and if it is a TOTP system, the only other likely possibilities involve issues like deeper implementation issues (e.g., more than one response will match, making the search space much smaller, etc.). Or there's something else going on entirely. Not enough info.
@lauren oh yes the article is definitely low on details and it reads like they are using words that may bring some empathy
I’m guessing there was a combination of a leak somewhere that allowed the attacker to spray passwords, identifying the accounts they could even try to attack further
Then the brute force aspect on those, but really, how fast did their automated system catch on? Can it be called a brute force attack if each account saw 5 tries before being put on hold?
Or did they consider that because of how many accounts were targeted (which they don’t say), it still counts as brute forcing?
And this gem
Our team has taken steps to mitigate the risk of future incidents and continue to harden our resiliency
-
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
No rate limiting? No lockout or cooldown after n failures?
Or just let 'em rip at one guess every 30ms?
-
R relay@relay.mycrowd.ca shared this topic
-
@dangoodin It's doable. And it happens. Set enough automated systems to work at it and it can succeed enough to be profitable, just like spam. Low percentage success doesn't mean they don't do it.
@lauren@mastodon.laurenweinstein.org it reminds me of AuthQuake:
The vulnerability identified by Oasis, at its core, concerns a lack of rate limit and an extended time interval when providing and validating these one-time codes, thereby allowing a malicious actor to rapidly spawn new sessions and enumerate all possible permutations of the code (i.e., one million) without even alerting the victim about the failed login attempts.
-
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
@dangoodin This assumes TOTP was the method of 2FA, but let’s go with that and assume it was in use. What if this was really a credential stuffing attack where the threat actor already had a password fro another compromised service. So knowing that some people (I’m being kind) use the same password on multiple accounts they start feeding those passwords to another service. When they get an unlock, they can the try a traditional brute force. Or, they can be smart and use email account passwords. Then they could tell Dashlane “nope, don’t have my authenticator app” and ask for verification by another means. Does anyone know if Dashlane’s default account recovery method is email? I hope to god it isn’t SMS.
-
There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.
What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.
Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?
I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.
Can anyone help me read the tea leaves?
@dangoodin the "MFA" thing is misleading. Registering a device ONLY requires the email address & a 6-digit numeric "OTP" (e.g. TOTP or OTP via email iirc) which they call "2FA/MFA". Afterwards you can then access the vault "offline", see 4.1.2 here: https://support.dashlane.com/hc/en-us/articles/32877433567634-4-Credential-security-in-detail
Not quite sure what "brute force" means here. For non-TOTP this could be an issue with OTP lifetime? For TOTP this could just be "randomly trying with a 1 in 100000 chance untl you get lucky a few times"?
It's a baffling decision & there is a reason other password managers don't just require an OTP to access the vault. It's also terrible communication imo.
-
No rate limiting? No lockout or cooldown after n failures?
Or just let 'em rip at one guess every 30ms?
@bradr @dangoodin Rate limiting is hard to do well. If you apply it per client IP, then a big botnet can all guess in parallel. If you apply it per account, then an attacker in one place can lock out the legitimate user wherever they are.
-
Right, but to brute force 2FA, don't you first have to break the first authentication factor? That would mean the number of accounts you can brute force is limited to only those you have already compromised.
@dangoodin @cibyr yeah this type of multi user attack doesn't really make much sense, you still only get one try per request. A second factor is usually six decimal digits, meaning the attacker has a one in a million chance of outright guessing it. Usually rate limiting should kick in before anything gets broken.
-
@dangoodin the "MFA" thing is misleading. Registering a device ONLY requires the email address & a 6-digit numeric "OTP" (e.g. TOTP or OTP via email iirc) which they call "2FA/MFA". Afterwards you can then access the vault "offline", see 4.1.2 here: https://support.dashlane.com/hc/en-us/articles/32877433567634-4-Credential-security-in-detail
Not quite sure what "brute force" means here. For non-TOTP this could be an issue with OTP lifetime? For TOTP this could just be "randomly trying with a 1 in 100000 chance untl you get lucky a few times"?
It's a baffling decision & there is a reason other password managers don't just require an OTP to access the vault. It's also terrible communication imo.
@nyanbinary @dangoodin Wait, what? A username and a one-time code of some type is all you need to download the vault for offline attack? And it sounds they don’t invalidate the last email OTP when a new one is sent? That seems deeply flawed.
-
@nyanbinary @dangoodin Wait, what? A username and a one-time code of some type is all you need to download the vault for offline attack? And it sounds they don’t invalidate the last email OTP when a new one is sent? That seems deeply flawed.
@bob_zim @dangoodin I dont know about the lifetime of email OTPs, I didn't test with those ftr
-
@dangoodin This assumes TOTP was the method of 2FA, but let’s go with that and assume it was in use. What if this was really a credential stuffing attack where the threat actor already had a password fro another compromised service. So knowing that some people (I’m being kind) use the same password on multiple accounts they start feeding those passwords to another service. When they get an unlock, they can the try a traditional brute force. Or, they can be smart and use email account passwords. Then they could tell Dashlane “nope, don’t have my authenticator app” and ask for verification by another means. Does anyone know if Dashlane’s default account recovery method is email? I hope to god it isn’t SMS.
@Spartan_1986 @dangoodin or maybe the credential stuffing also succeeded on the victim’s online e-mail account and the 2fa method was a code by e-mail
-
@dangoodin @cibyr yeah this type of multi user attack doesn't really make much sense, you still only get one try per request. A second factor is usually six decimal digits, meaning the attacker has a one in a million chance of outright guessing it. Usually rate limiting should kick in before anything gets broken.
@sophieschmieg : *if* the second factor consist of 6 digits and regularly changes (TOTP: usually every thirty seconds), then it is typically worse than 1 in a million chance.
Because the client clock may be out of sync with the server clock, typically a time window larger than 30 seconds is used to increase fault tolerance.
I suggest you read https://www.oasis.security/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass.
I remembered that attack, but Pouyan (@i) had already referenced "AuthQuake" in an earlier toot (https://toot.pouyan.net/notice/B6xuBX6lzrGenpC74y) - but you may have missed that.
W.r.t. 2FA: if the server, after entering the user-ID and an incorrect password, responds with "wrong userID or password" - before asking for the 2FA code (or a timing difference reveals that the first factor is either wrong or correct), then the attacker's life gets a lot easier.
And if 2FA is reduced to 1FA in "device code" phishing attacks, even passkeys and FIDO2 hardware keys will not prevent account takeovers.
Also "password reset" mechanisms may have flaws (upto Instagram's AI assistent being easily convinced by fraudsters).
#TOTP #TimeWindow #RFC6238 #2FA #Weak2FA #MFA #WeakMFA #BruteForce
