Google's two-factor glitch ends in 4chan attack

Google's two-factor glitch ends in 4chan attack

Summary: A flaw in Google's account-recovery process has resulted in CloudFlare CEO Matthew Prince losing control of his Google Apps for Business account, despite it being protected with two-factor authentication.

TOPICS: Google, Security

A flaw in Google's account-recovery process has resulted in CloudFlare CEO Matthew Prince losing control of his Google Apps for Business account, despite it being protected with two-factor authentication.

CloudFlare has been the unfortunate victim of an attack that used social engineering, which compromised two highly protected email accounts. It was ultimately directed at popular internet forum 4chan, for which CloudFlare acts as a host. In a blog post, Prince said that the attack on his company and himself may have begun in mid-May — he received an account-recovery request for his personal Gmail account then, even though he had not started the recovery process himself.

Prince was using a 20+ character, highly randomised password; however, the hackers were able to bypass it by asking Google for an account reset. One option for recovering an account is to have Google send a confirmation code to the phone number associated with the account, and where SMS is not available, it sends the code as a voice call.

Prince believes that the hackers began the recovery process and intercepted the confirmation code by socially engineering US telco AT&T's support staff to gain access to his voicemail, where the code would have ended up.

The hackers then used his compromised personal account to recover his Google Apps business account, which, unlike his personal account, has two-factor authentication. This authentication process meant that theoretically, even if the hackers were able to complete the account-recovery process on his personal account, the business account should still have been safe. When the hackers tried to log in, they should have been prompted for a token.

However, a flaw in Google's recovery process circumvented this important security precaution.

"If an administrator account that was configured to send password-reset instructions to a registered secondary email address was successfully recovered, two-step verification would have been disabled in the process," Google said in a statement.

The web giant has already fixed the issue, ensuring that two-factor authentication is no longer disabled upon account recovery.

With Prince's Google Apps administrator's account, the hackers had access to the Google Apps administrative panel, with complete control over CloudFlare's own accounts and domain settings, on top of the ability to masquerade as the company CEO and access the company's systems. But the hackers didn't seem interested in this, instead heading straight for one target: 4chan.

Hacktivist group UGNazi claimed responsibility for the attack. After initiating a password reset for a 4chan account, it updated 4chan's DNS records to redirect visitors to the hacktivist group's Twitter page.

In a Pastebin post, the group stated that it attacked 4chan for its unreasonable delays in removing child-abuse material.

" is the playground that allows paedophiles to share their 'collections' and the disgusting bronies to hang out. The site is loosely monitored, and child [abuse] threads are allowed to 'stay alive' for an exceedingly long amount of time. Shocking, seeing as there is a [strict] policy against posting it."

In the same post, however, the group wrote that it also attacked the site for its own entertainment and amusement.

"There was no political motive here, we will not tell lies and pretend that it was all to fight an injustice. This was for the lulz. This was for the fame. This was done because only we have the skill to do it. This was done so that we can laugh at your butt hurt. We did it because we can."

CloudFlare's own investigations have found no evidence that any of its other customers were affected, and its practice of sending credit card data directly to a secure payment processor and not through its own servers appears to have protected that data.

The attack came shortly after UGNazi's leader, Cosmos, was arrested by the FBI, and after the group was able to successfully perform a social-engineering attack on Hostgator to attack billing and support software provider WHMCS.

Topics: Google, Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Please note that if you have a google (or salesforce, office365 or similar corporate cloud account) you can avoid above by simply use Microsoft Active Directory Federated Services combined with a SMS based two-factor authentication solution like SMS Passcode. This will give the same functionality above, but protect the user accounts via your own AD infrastructure as opposed to using each cloud providers own seperate services.
  • I am a strong supporter of 2FA but even I know that the truth is that if they want it enough they will get it. We can see that the 2FA made it so they had to work hard to get want they wanted. And that is what we want… we don't want to make it easy for them by just handing it to them. Imagine how easy it would have been if he had not activated the 2FA? And you are not going to find a more secure and easier user experience anywhere. So activating the two-Factor Authentication technology where you can telesign into your account by entering a one-time PIN code, is worth the time it takes to set it up and have the confidence that your account won't get hacked and your personal information isn't up for grabs.
    • Agree on all accounts there, cloud. I still highly recommend users turn on two-factor authentication, but don't forget that no form of security is completely impenetrable, whether it via an oversight by Google, or attacking an upstream provider. The best we can do is to give would-be hackers a difficult time.
      Michael Lee (Mukimu)