Security Week 45: bypassing two-factor authentication in OWA, intercepting GMail accounts, vulnerability in OpenSSL

Researcher Ahmed Mekhtab found ( news , research ) a non-trivial way to partially crack GMail accounts. Using an error in the function of combining different accounts and mail forwarding, he showed how you can send messages on behalf of the victim. Under normal conditions, you can connect an additional account to your own using the corresponding menu in the settings. After that, confirmation is sent to the additional mail. You must click on the link in this message, and you have the opportunity to send mail from your own mailbox on behalf of this additional account.

Accordingly, if you do not have access to the attacked mail, you will not see the confirmation letter and link. But in rare cases it is not required: if the attacked account is deactivated, and Google’s mail server sends a notification about the impossibility of message delivery. Then you can request a confirmation using standard means, it will go to the attacked box, and will return as a whole as a part of the undeliverable message. It remains only to click the link.

It is clear that the attack has a very limited scope: against real mailboxes, it is possible only if in some way forcing the owner to deactivate the account. The second option: the victim has blocked your mailbox, in which case similar messages will be sent. However, you can only send letters on behalf of the victim, but not receive them. The researcher managed to tie to his mail non-existent addresses with beautiful names like gmail@gmail.com. Naturally, at the time of the publication of the study, the loophole was already closed.

Attack video:
')

The researcher showed a way to bypass the two-factor authentication for Outlook Web Access

News

UPD: See the comment of the respected VitalKoshalew . At least everything is not so straightforward, but in fact there is a possibility that the “vulnerability” 2FA is still caused by the non-recommended configuration of OWA + EWS + 2FA.

But in this news we are talking about vulnerability, which is either not closed, or cannot be qualified as a vulnerability, or, as in the anecdote, “the whole system should be changed.” The bottom line is that two-factor authentication in the web interface for Outlook Web Access corporate mail can be easily circumvented if the victim company uses the standard configuration of this service. The standard configuration assumes that not only OWA is externally accessible, but also Exchange Web Services, on which 2FA is not implemented in principle. Through EWS, you can also access mail, which makes two-factor authorization meaningless - it seems to be there, but there's no point.



The researcher ( report ) sent the information to Microsoft, did not receive a response, released the data. After that, Microsoft proposed a solution to the problem of disabling access to the EWS from the outside. Indeed, it’s not a vulnerability, but rather a misconfiguration. On the other hand, we are talking about the default configuration of OWA, so that certain actions on the part of the vendor are still required. At least in the format of recommendations for the safe implementation of 2FA, which still works.

OpenSSL vulnerabilities closed

News | Advisory

Quite a serious vulnerability in the OpenSSL library closed this week. The vulnerability can be exploited with a TLS connection using the recently standardized encryption algorithm ChaCha20-Poly1305: under certain conditions, a denial of service can occur.

However, nothing more. The error was introduced to the library code recently, it exists only in version 1.1.0, fixed by update 1.1.0c. In addition, the OpenSSL developers have reminded about the termination of the support of the library version 1.0.1 and earlier - from the new year updates and patches for this branch will not be released anymore.

What else happened

Google came up with a separate checkbox for sites that repeatedly hosted dangerous content.

Unveiled last week's ITW vulnerability in Windows closed .

Experts of the "Laboratory" talk about the coder who uses the mechanism of Telegram-bots.

Antiquities

"Aircop"

Very dangerous virus. It affects the boot sectors of floppy disks, keeping the old boot sector at 1/39/9 (head / track / sector). Data located at this address will be destroyed. Tries to survive reboot. When I try to boot from a disk that does not contain DOS system files, it displays: “Non-system”. Periodically reports: "RED STATE, Germ offensing - Aircop". Intercepts int 12h, 13h, 1Bh.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 99.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.