You are here

You are here

STOP: Opt out of phone numbers as authentication tokens

Richi Jennings Your humble blogwatcher, dba RJA
WhatsApp: Speak no evil

This week brings yet more examples of poor design. Specifically: Two apps trusting phone numbers without properly authenticating the actual user.

First, a deadly denial-of-service attack on WhatsApp, in which combining two subtle side effects can lock out users from their accounts. And second, a really dumb authentication bug in a wireless provider’s app.

Watch out—these things come in threes. In this week’s Security Blogwatch, we got the 411 (ask your parents).

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Cracking Enigma.

It’s a numbers game

What’s the craic, Zak? Mister Doffman reports—New Warning Will Surprise Millions Of WhatsApp Users:

WhatsApp is creaking at the seams. Its architecture has fallen behind its rivals, missing key features. … Using just your phone number, a remote attacker can easily deactivate WhatsApp on your phone and then stop you getting back in. … Here’s how the attack works. [It] involves two separate WhatsApp processes—both of which have a fundamental weakness.

Anyone can install WhatsApp on a phone and enter your number on the verification screen. … None of this should be a problem … unless you deactivate WhatsApp on your phone and need to reverify. … After a few attempts, the attacker’s WhatsApp will say … “You have guessed too many times; try again in 12 hours.”

And so, to weakness number two. … The attacker now … sends an email to Lost/stolen account, the email, says, please deactivate my number [but] the attacker includes your number. … They have no way of knowing whether this is really from you. … But an automated process has been triggered, without your knowledge. … Suddenly WhatsApp stops working on your phone [and] you cannot request a new code for the balance of those 12 hours.

But there’s a nasty twist. The attacker … can wait and then repeat the process. … Then on the third 12-hour cycle … instead of saying “12 hours” it says “-1 seconds.” It has stalled [and] there will be no way for you to reregister WhatsApp on your phone.

What the what? Michael Crider adds—Researchers reveal gaping hole in the popular chat app's security:

If you're a frequent user of WhatsApp, you may want to keep an eye on a disturbing hole discovered in its security. … At the time of writing there's no solution for this issue.

The attack is a proof-of-concept from a pair of security researchers, Luis Márquez Carpintero and Ernesto Canales Pereña. … The results are disturbing, but at … least, this method can't be used to actually gain access to an account, merely to block access by its legitimate owner.

There's no indication that this technique is being used in the wild. But when pressed for comment, WhatsApp was evasive, and did not indicate that it's working to resolve the hole in its security. … It seems like security issues, and a less-than-satisfactory response to them, will continue to be a problem in Facebook's growing corporate empire.

Ah, the perils of using a phone number as a public identifier. Dan Goodin notes a similar faux pas—Mobile carrier exposes data … to anyone who knows a customer's phone number:

Q Link Wireless, a provider of low-cost mobile phone and data services to 2 million US-based customers, has been making sensitive account data available to anyone who knows a valid phone number on the carrier’s network. … That’s right—no password or anything else required.

The person who [found the bug] reported this glaring insecurity to Q Link Wireless sometime last year. [And] he notified support twice again this year—first in February and again this month.

The data exposure is serious because phone numbers are so easy to come by. … And of course, phone numbers are easily obtained by private detectives, abusive spouses, stalkers, and other people who have an interest in a particular person. Q Link Wireless making customer data freely available to anyone who knows a customer's phone number is an act of downright negligence. [And] the exposure might make it easier for a would-be SIM swapper to social engineer a Q Link Wireless employee into porting a number to a new phone.

Q Link Wireless CEO and founder Issa Asad didn’t respond [to me]. The carrier has yet to notify customers of the data exposure.

And Karl Bode sounds stoic—Wireless Provider Openly Shares Private Data Of 2 Million Subscribers:

Another day, another notable privacy scandal we won't do much about. Q Link Wireless is the latest company to be under fire for particularly lax security and privacy standards.

The company's My Mobile Account app … displays the name, addresses, phone and text histories, last four digits of their credit card, and the account number needed to port your number out … provided you had the phone number of any of Q Link Wireless' 2 million subscribers. … Whoops-a-daisy.

Wait. Pause. Issa Asad? Where have we heard that name before? Perhaps from CBS Miami’s anonymous scribblers—Man charged with groundskeeper’s murder:

The case against a South Florida man who was originally charged with murdering a groundskeeper following a dispute over money, pled nolo contendere to misdemeanor culpable negligence and given one year of probation. … Issa Asad was also ordered to pay a $225 fine.

I hate the way Registered Coward v2 is thinking:

No doubt some scammers will decide to exploit this and send emails to the victims demanding payment to stop locking out the account. All they need is a list of phone numbers … and they're in business.

There is no limit to how many scammers can exploit this, so even if a victim pays one they'd still be blocked if another one uses this exploit against them as well. Automated attacks could basically shutdown some percentage of WhatsApp accounts permanently.

So what can be done? Why is quamquam quid loquor speaking? [You’re fired—Ed.]

We need a carrot and/or a stick. Good security practices require expertise and investment, but do not meaningfully increase sales. Poor security practices get the Experian Treatment, where you setup a ridiculously undersized pot of money and wait for the next news cycle.

Investors need to demand cyber security audits and Regulators need laws with teeth.

What a mess. Artem Russakovskii—@ArtemR—ponders the motivation to fix the WhatsApp bug:

The real critical part here is anyone can apparently deactivate any WhatsApp account if they just email WA the phone number and say they lost their phone, from any email, even if it's not registered to your account.

This is beyond careless. What the actual ****? … It'll get fixed when someone does this to Zuckerberg's number, which was recently leaked in a Facebook account dump.

Meanwhile, automate all the things, viperidaenz seems to say:

One way to get it fixed: Write a script to block every phone number in the recent Facebook data leak. When millions of users start complaining, something will get done.

The moral of the story?

Take care when designing your account recovery flow—avoid denial-of-service vulnerabilities from corner cases.
And take care when designing your schema—avoid creating a well-known index that can be used to access data without authorization.

And finally

Very fast bombes

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Rachit Tank (via Unsplash)

Keep learning

Read more articles about: SecurityInformation Security