Yesterday, a security notice was launched in Authy’s blog. An independent security researcher from Sakurity found a bug in the popular 2FA app Authy. Egor Homakov was responsible for finding a Format Injection vulnerability that affected the Authy service through a commonly used open source library.
In his research, Egor found out that the Authy-node wasn’t encoding the tokens from the users parameters. This was due to a High severity format Injection in Authy API and “the real problem was default Sinatra dependency “rack-protection”.
The researcher alerted the Authy security team who immediately performed an investigation and a forensic analysis to check if this vulnerability was being used or if someone was taking advantage of this bug.
Authy is supposed to make two-factor authentication simple and easy by giving an extra security layer to your accounts using one app, so even if your password is compromised, your account will still be safe. This app needs to be installed on a mobile device. Two-factor authentication is currently the best way to keep your accounts safe; Authy, is focused on making 2FA easier to use by allowing users to get a second-factor authentication code from multiple devices.
This was the first time the company faced this type of issue. They promptly solved the case with an exceptional professional attitude and a remarkable solution.
The Authy security team went through an extensive review in their API logs to confirm if there was some indication that this vulnerability was used to compromise the Authy service and concluded that it wasn’t compromised at any time.
The team sent all of their active customers a signed email with a full description of the issue. Customers found to be using the affected third party libraries were notified and Authy’s security team worked directly with them to apply the patch.
The Authy security team declared available to work with outside security experts saying this would help them ensure transparency while ensuring they would get the needed security information from the community to rapid response to any new vulnerability.
The Authy Security team also notified the author of the affected library, and a final audit was done with the help of other third-party libraries and community helper libraries looking to find the same issue. Egor Homakov assisted the Authy team by providing time to correct the issue for all customers before publishing his findings. After this being done, patches were applied to the service and patched forks of community helper libraries were published via the Authy Github page.
In the end, The Authy team thanked Egor for responsibly disclosing his research on this vulnerability, and providing them detailed information to analyze the issue. This was crucial for the team to solve the issue and notify its customers.
What do you think about second-factor authentication? Let us know on the comment bellow!