A security company is pointing to a feature in Google’s authentication app that it says significantly worsened a recent internal network breach.

Retool, which helps customers secure their software development platforms, voiced the criticism in a post on Wednesday in which it disclosed a compromise of its customer support system. The breach gave the attackers responsible access to the accounts of 27 customers, all in the cryptocurrency industry. The attack began when a Retool employee clicked on a link in a text message that purported to be from a member of the company’s IT team.

“Dark Patterns”

It was warned that the employee could not participate in the company’s open enrollment for health insurance coverage until an account issue was resolved. The text arrived as Retool was in the process of moving its login platform to security company Okta. (Okta itself disclosed the breach of one of its third-party customer support engineers last year and the compromise of four of its customers’ Okta superuser accounts this month, but no incident was mentioned in Wednesday’s announcement.)

Most of the Retool employees targeted did nothing, but one logged into the linked page and, based on the wording of the poorly written disclosure, presumably provided both a password and a temporary one-time password (TOTP) from the Google authenticator.


Shortly thereafter, the employee received a call from someone who claimed to be a member of the IT team and familiar with the “office layout, colleagues and internal processes of our company.” During the call, the employee announced an “additional multi-factor code.” At that point, the disclosure said, a sync feature that Google added to its authenticator in April increased the severity of the breach because it allowed the attackers to access not just the employee’s account, but a variety of them Compromise other company accounts.

“The additional OTP token shared during the call was critical as it allowed the attacker to add his own personal device to the employee’s Okta account, allowing him to create his own Okta account from that point on. MFA enabled,” Snir Kodesh, technical lead at Retool wrote. “This allowed them to have an active GSuite session on that device. Google recently released the Google Authenticator sync feature, which syncs MFA codes to the cloud. As Hacker News noted, this is extremely insecure because if your Google account is compromised, your MFA codes are also compromised.”

The post is unclear in many ways. By “OTP token,” for example, did Kodesh mean a one-time password returned by the Google authenticator, the long string of numbers that forms the cryptographic seed for generating OTPs, or something else entirely? In an email seeking clarification, Kodesh declined to comment, citing an ongoing law enforcement investigation.

Source : arstechnica.com

Leave a Reply

Your email address will not be published. Required fields are marked *