Usr6 Posted May 17, 2014 Report Posted May 17, 2014 I remember fondly two years ago, when 2-Factor-Authentication (2FA) became popular and well used across major web applications (Google, Facebook, Yahoo and others). I found, my naive sixteen year old self unable to come to terms for why the genius idea had not been thought of before. At the time, I felt that 2FA was that golden shield you could cover yourself with and defend against some of the most sophisticated phishing attacks calmly.Whilst 2FA can still be that golden shield to the critical applications you use in your life, I shall be documenting below - using an array of exploitation methods, how I was able to bypass 2FA for Google, Facebook, Yahoo, LinkedIn and basically any service which sends 2FA tokens to voicemail.Note: More than 9.59 million Australian Optus mobile subscribers are affected by the voicemail hack I detail below. Anyone from that 9.59 million with 2FA enabled, is vulnerable to the 2FA bypass I document below.Table of ContentsAnalysis of 2FA, Concept and Flow of Exploit Disclosure to Google Security Team Disclosure to Facebook Security Team Disclosure to LinkedIn Security Team Disclosure to Yahoo Security Team Disclosure to Authy & Duosecurity - (Universal 2FA Provider) - Not Vulnerable Mitigation Techniques and Disclosures to Telco's Final notesArticol complet: How I bypassed 2-Factor-Authentication on Google, Facebook, Yahoo, LinkedIn, and many others. Quote
