A flaw in Google's account-recovery process has resulted in CloudFlare CEO Matthew Prince losing control of his Google Apps for Business account, despite it being protected with two-factor authentication.
CloudFlare has been the unfortunate victim of an attack that used social engineering, which compromised two highly protected email accounts. It was ultimately directed at popular internet forum 4chan, for which CloudFlare acts as a host. In a blog post, Prince said that the attack on his company and himself may have begun in mid-May — he received an account-recovery request for his personal Gmail account then, even though he had not started the recovery process himself.
Prince was using a 20+ character, highly randomised password; however, the hackers were able to bypass it by asking Google for an account reset. One option for recovering an account is to have Google send a confirmation code to the phone number associated with the account, and where SMS is not available, it sends the code as a voice call.
Prince believes that the hackers began the recovery process and intercepted the confirmation code by socially engineering US telco AT&T's support staff to gain access to his voicemail, where the code would have ended up.
The hackers then used his compromised personal account to recover his Google Apps business account, which, unlike his personal account, has two-factor authentication. This authentication process meant that theoretically, even if the hackers were able to complete the account-recovery process on his personal account, the business account should still have been safe. When the hackers tried to log in, they should have been prompted for a token.
However, a flaw in Google's recovery process circumvented this important security precaution.
"If an administrator account that was configured to send password-reset instructions to a registered secondary email address was successfully recovered, two-step verification would have been disabled in the process," Google said in a statement.
The web giant has already fixed the issue, ensuring that two-factor authentication is no longer disabled upon account recovery.
With Prince's Google Apps administrator's account, the hackers had access to the Google Apps administrative panel, with complete control over CloudFlare's own accounts and domain settings, on top of the ability to masquerade as the company CEO and access the company's systems. But the hackers didn't seem interested in this, instead heading straight for one target: 4chan.
Hacktivist group UGNazi claimed responsibility for the attack. After initiating a password reset for a 4chan account, it updated 4chan's DNS records to redirect visitors to the hacktivist group's Twitter page.
In a Pastebin post, the group stated that it attacked 4chan for its unreasonable delays in removing child-abuse material.
"4chan.org is the playground that allows paedophiles to share their 'collections' and the disgusting bronies to hang out. The site is loosely monitored, and child [abuse] threads are allowed to 'stay alive' for an exceedingly long amount of time. Shocking, seeing as there is a [strict] policy against posting it."
In the same post, however, the group wrote that it also attacked the site for its own entertainment and amusement.
"There was no political motive here, we will not tell lies and pretend that it was all to fight an injustice. This was for the lulz. This was for the fame. This was done because only we have the skill to do it. This was done so that we can laugh at your butt hurt. We did it because we can."
CloudFlare's own investigations have found no evidence that any of its other customers were affected, and its practice of sending credit card data directly to a secure payment processor and not through its own servers appears to have protected that data.
The attack came shortly after UGNazi's leader, Cosmos, was arrested by the FBI, and after the group was able to successfully perform a social-engineering attack on Hostgator to attack billing and support software provider WHMCS.