Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

There are a plethora of third party usable protocols to gain access to information. OAuth is used to get access to information, such as Facebook friends. SAML and OpenID are used as a central management location for authentication (SSO). OpenID is built on top of the OAuth specification, which is the focus of this article.

The attack of this article is against an OpenID two factor authentication (2FA) implementation. While going through the basic test cases for 2FA issues (wrong OTP, brute forcing, etc.), they found nothing interesting. So, they decided to read the AMR specification.

One thing caught the authors eye: "...taking a dependence upon particular authentication methods may result in brittle systems since the authentication methods that may be appropriate for a given authentication will vary over time." This means that different authentication methods for 2FA may be allowed.

Once the author realized this, they used the AMR sms+password in the browser. Instead of the normal Google Authenticator window, a new window that was requesting a phone number appeared! Sure enough, adding the phone number to the account and responding bypassed the otp+password 2FA.

This simple trick of changing the authentication method to SMS instead of OTP caused a complete bypass of 2FA. Obviously, this is a serious security bug and they got paid out as such. In the future, reading specifications while testing implementations out things will be on my radar to find hidden attack vectors.