Reddit, one of the largest sites on the Internet, revealed last week that employee accounts at the Internet giant were stolen. The accounts held at cloud and source code hosting providers were compromised, allowing hackers to gain access to systems that contained backup data, source code and log details were affected. The most worrying thing for many security experts is that the Reddit hack seems to indicate that the industry standard two-factor authentication approach in certain cases might not offer as much protection of vulnerable data as has long been thought.
Older accounts affected by Reddit hack
Reddit was at pains to explain that those users who registered and maintained accounts before 2007 would be affected. What may be worrying is that Reddit discovered the compromised accounts on June 19 – but has taken nearly a month to notify those who are affected.
The attacker also gained access to logs containing email digests sent between June 3 and June 17, 2018. Email digests are basic recaps of safe-for-work subreddits a given user subscribes to, but they can connect usernames to associated email addresses. Reddit further highlighted that credit card data was not affected.
“If you don’t have an email address associated with your account or your ’email digests’ user preference was unchecked during that period, you’re not affected,” said Reddit.
Two-factor authentication bypassed
User authentication using a multi-factor system has long been regarded as a solid defense against hackers. But there appears to have been a weakness as pointed out by Reddit in a post on their website – and this involved interception of SMS communication. However, reddit engineers did note that the site requires people to use TOTP (Time-based One-Time Password), because it was known that a two-step verification two-factor authentication (2FA) solution that relies on receiving authentication tokens via text message had issues.
“Already having our primary access points for code and infrastructure behind strong authentication requiring 2FA, we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” the post explained.
“…but there are situations where we couldn’t fully enforce this on some of our providers since there are additional ‘SMS reset’ channels that we can’t opt out of via account policy. We’ve since resolved this,” the engineer, who goes by KeyserSosa, explained.
Reddit has since committed to strengthening their approach to security. But they did reach out to users who were impacted by the incident. They noted that it was possible that user email addresses and in some cases, private messages were exposed. The backups also included old salted and hashed passwords.
Affected users of Reddit offered advice
Reddit is working closely with law enforcement to ensure that those responsible are brought to book. However, the company did offer some advice to those whose accounts may have been affected by the failure in two-factor authentication.
“If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today… And, as in all things, a strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users, and be alert for potential phishing or scams.”
Experts weigh in on two-factor authentication
Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team) was quick to explain just why the failure of two-factor authentication should be of great interest to security professionals.
“This breach is particularly interesting because it is an example of SMS-based two-factor authentication being used to compromise a major service provider. While SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service.”
Two-factor authentication has limitations
Young noted that, “Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS-based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers. The most common technique is most likely use of smartphone malware, which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user, but this seems less likely in such a targeted campaign. Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No. 7 (SS7) protocol, which is at the heart of modern telephony routing.” These are all possibilities, but it may be as simple as calling up the victim’s cellular provider and convincing them to transfer the phone number to a new SIM.
“An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars’ worth of equipment,” explains Young. “The moral of this story is that SMS-based two-factor authentication should not be considered ‘strong’ in the face of a determined attacker.”
The Reddit hack and consumers
Koby Kilimnik, security researcher at Imperva also had advise for Reddit account holders who may have been affected by the failure of Reddit’s two-factor authentication solution.
“I would still recommend changing your reddit password, and if you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database.
“Another good idea is not to use the leaked password anywhere else. Although it’s hard to crack those passwords, once cracked, the chances are much greater that they will also be added to a dictionary in a future ‘credential stuffing attack’.” In other words, usernames and passwords should be changed.
Two-factor authentication still has its place
CipherCloud CEO Pravin Kothari was quick to comment that two-factor authentication still had its place – and that users bear at least some responsibility for ensuring the safety of their accounts and to turn on two-factor authentication. He noted the popularity of two-factor authentication, and was optimistic about its practice, while at the same time sounding a note of caution about just how it was being used.
“Today, use of two-factor authentication is a best practice still not used by most authenticating systems. Even when two-factor is offered, for example, in Google’s Gmail, over 90 percent of the Gmail users don’t opt to use it. The Reddit attack shows us that the techniques, tactics and procedures of this highly sophisticated attacker now include interception of this SMS traffic to the targeted individual mobile phones. Consider how many financial systems use a cellphone SMS authentication to validate account sign-on?
“How do you solve this problem? Given that two-factor authentication is still a best practice the likely move by financial institutions will be to utilize token-based SMS systems, instead of mobile phone based systems. In any case two-factor authentication, even with a mobile phone, is still much better than not using two-factor.”
Lessons from the Reddit hack
The lesson to be learned is that no security precaution is infallible. Vigilance is required by both security professionals and users. Only when both of these parties are aware of their respective responsibilities will solutions such as two-factor authentication be truly effective and contribute to improved security.