It seems that everyday some company is hacked (for the same reasons). Let's see why.
The Code
According to the report, the hacker mentioned it only took them 23 lines of code.. While anyone can guarantee this source is reliable, depending on how it was implemented, it indeed may have been possible to build a simple python script to perform username enumeration and password bruteforcing if the necessary prevention mechanism isn't in place.The Login Widget
I inspected the code as soon as the news was out and collected some data. On Feb 15, 2018, the login screen just after the news offered that apart from username/password, we can also login using Phone number / PIN. If you were the hacker, which login you think would be easier to guess? A password (that can be anything) or a PIN composed of 4 numeric chars? 😉Reviewing the Phone Number widget
I'm interested about this Phone number / PIN thing because PINs are usually simple and often are used to access your device from the phone. So, they should be numerical. Let's see what the source tells us:
- they're using Angular which has its flaws. Are they running the latest version?
- some validations happen in the front-end (I hope they revalidate in the the web server);
- that specific validation is done using Regex (pinRegEx).
- the min/max length: 4 chars (see the red box on the right there);
- the "PIN not valid" on the left shows up for non-numeric chars;
Estimating the Complexity
So, a mobile number and 4 numeric chars. How complex can that be?- mobile numbers are public.
- PIN requires 4 numeric characters = 10 ^ 4 or 10,000 combinations
Brute Force
So, knowing your phone number, it takes the hacker, on the worst case, only 10,000 guesses. And it can get better. For example, if your pin were 1220 (Dec, 20) it would have taken me 10% of the time to guess your password.
Username Enumeration
The above has nothing of fancy, complex or undocumented. In fact, username enumeration and password bruteforcing are present in OWASP's CSRF Prevention guide and are part of OWASP's top 10 web application risks.
The hacker confirms it:
The hacker confirms it:
 |
| Source: https://mobilesyrup.com/2018/02/12/freedom-mobile-security-breach/ |
No brute force prevention
Sight. No brute force prevention. No account lockout? No MFA? No alerts. Probably not. Worse, the company ignores the issue, states the corporate jargon and returns the responsibility to users (as if a system based on 4 digit numeric PINs, no bruteforce or password enumeration prevention were secure enough):
“We continue to strongly encourage our customers to use unique PIN numbers that are not easy to guess, and to change their PINs frequently to best protect their personal account information. (...) meeting customer demands for a resonable login process.”
Shared Responsibility
Before we wrap up, there are two more things about this hack that are worth questioning:- who's responsible the decision to simplify the login by using the phone/PIN widget?
- who's responsible for not preventing brute force without any lockout mechanism or alert on the login operation?
Conclusion
So, even if we assume that the hack didn't happen, 10k combinations without any prevention against CSRF, username enumeration and/or password bruteforcing is not acceptable. Everyone loses when companies try to simplify security aspects for its users but do it wrong ignoring the most critical web application security risks. In time, if you haven't read yet, check OWASP's CSRF Prevention guide.
References
- MobileSyrup.com - Hacker uncovers Freedom Mobile customer login vulnerability
- Reddit - /r/freedommobile security Breach
See Also
- How and why use stronger passwords
- Security and development: how much is being done?
- Security is only as strong as the weakest link
- The Laws of security
- Privacy and Ethics
- Integrated security vulnerability alerts on GitHub - Why it matters