How to hack Yandex two-factor authentication
Finally, Yandex gash two-factor authentication. I did not expect a trick, but it seems in vain.
How does two-factor authentication of Yandex work?
The QR code is displayed in the browser, the user scans it with a special application, the browser immediately senses this and authorizes the user.
')
QR code is decoded into a link like this:
yandex.ru/promo/2fa?track_id=38e701d0bb5abaf50d381c3f95e0f341a8
Inside all this, a web page with a QR code constantly polls the server while waiting for authorization:
Once the user has scanned the QR code by the Yandex application, the following request will give the browser a cookie.
What is the problem here?
To receive cookies, the same ID is used, which is encoded in the QR code.
Pay attention to the track_id parameter in the link and the same parameter in the POST request.
This means that an attacker can peek at his QR code from behind the user's shoulder, retrieve the session ID from it, and, pretending to be a browser, often carry out the same request.
And if the hacker before the victim has time to get the session - he will immediately be in the user account.
I wrote on my knee a simple Android application that demonstrates this vulnerability.
It is enough to stand behind the victim and have time to scan the qr-code before it, while the victim launches the application and enters the pin-code.
After she logs in, the application will show you the victim's mailbox.
The application decodes the QR code using the github.com/dm77/barcodescanner library, quickly makes POST requests to Yandex, receives cookies, inserts them into the WebView and opens Yandex.Post in it.
For a successful attack, you need a relatively fast Internet on your smartphone (in order to have a cookie before the victim) and a good camera on the device is desirable. My code was successfully recognized from a distance of up to a meter, while my experimental friends did not notice anything and were very surprised at this trick when I showed them their mail on my phone.
How does two-factor authentication of Yandex work?
The QR code is displayed in the browser, the user scans it with a special application, the browser immediately senses this and authorizes the user.
')
QR code is decoded into a link like this:
yandex.ru/promo/2fa?track_id=38e701d0bb5abaf50d381c3f95e0f341a8
Inside all this, a web page with a QR code constantly polls the server while waiting for authorization:
POST /auth/magic/status/ HTTP/1.1 Host: passport.yandex.ru track_id=38e701d0bb5abaf50d381c3f95e0f341a8 Once the user has scanned the QR code by the Yandex application, the following request will give the browser a cookie.
What is the problem here?
To receive cookies, the same ID is used, which is encoded in the QR code.
Pay attention to the track_id parameter in the link and the same parameter in the POST request.
This means that an attacker can peek at his QR code from behind the user's shoulder, retrieve the session ID from it, and, pretending to be a browser, often carry out the same request.
And if the hacker before the victim has time to get the session - he will immediately be in the user account.
I wrote on my knee a simple Android application that demonstrates this vulnerability.
It is enough to stand behind the victim and have time to scan the qr-code before it, while the victim launches the application and enters the pin-code.
After she logs in, the application will show you the victim's mailbox.
The application decodes the QR code using the github.com/dm77/barcodescanner library, quickly makes POST requests to Yandex, receives cookies, inserts them into the WebView and opens Yandex.Post in it.
For a successful attack, you need a relatively fast Internet on your smartphone (in order to have a cookie before the victim) and a good camera on the device is desirable. My code was successfully recognized from a distance of up to a meter, while my experimental friends did not notice anything and were very surprised at this trick when I showed them their mail on my phone.
Source: https://habr.com/ru/post/249757/
All Articles