The recent Retool data breach incident has brought to light an alleged vulnerability in Google Authenticator.
According to a recent report by Retool, a Google Authenticator vulnerability, which stems from its cloud synchronization feature that allows the application to store critical user information in the cloud, was responsible for the worsening of the Retool data breach.
The vulnerability incident has directly impacted Retool, causing a widespread data breach and revealing potential data about its customers, stated a Retool report addressing the Retool data breach.
The Retool data breach caused accounts of 27 cloud customers, predominantly from the cryptocurrency industry, to fall victim to the cyber attackers, who exploited a vulnerability in the Google Authenticator app.
Retool Data Breach linked to Google Authenticator Vulnerability
According to the company, the Retool data breach was caused by a sophisticated social engineering attack, leveraging SMS phishing and manipulative techniques.
In a security post titled When MFA isn’t actually MFA, the company claimed that several employees received a text on their devices about open enrollment, a masked phishing attack by hackers.
“Several employees received targeted texts, claiming that a member of IT was reaching out about an account issue that would prevent open enrollment (which affects the employee’s healthcare coverage),” reads the company post.
“The timing coincided with a recently announced migration of logins to Okta, and the message contained a URL disguised to look like our internal identity portal. Almost all employees didn’t engage, but unfortunately, one employee logged into the link provided by the attackers”, added Snir Kodesh, Head Of Engineering, Retool.
Most employees at Retool did not take any action, except for one who logged into the linked site.
Presumably, this employee provided both a password and a temporary one-time password (TOTP) from Google Authenticator based on the language used in the written disclosure.
How Google Authenticator Vulnerability was Exploited
A pivotal aspect of this Retool data breach was synchronizing 2FA codes with Google accounts, facilitated by Google Authenticator’s cloud sync feature.
While this feature offers convenience, it also introduces substantial security risks. This is because, in the event of a compromise of a Google account, attackers gain access to all synchronized 2FA codes.
Following this, the employee received a phone call from an individual claiming to be an IT team member. This person exhibited knowledge of the office layout, colleagues, and the company’s internal processes.
During the call, the employee provided an “additional multi-factor code.” At this juncture, a synchronization feature introduced by Google in April exacerbated the severity of the breach.
This allowed the attackers to compromise the employee’s account and a slew of other company accounts.
Retool’s primary oversight was relying on MFA, which hinges solely on the secrecy of TOTPs.
It has been evident for years that these codes can be phished with only slightly more effort than it takes to phish a password.
Forms of MFA compliant with the industry-wide FIDO2 specification provide immunity from credential phishing attacks like those targeting Retool.
Google has acknowledged the issue and recommends transitioning to FIDO-based technologies for enhanced security.
Users also have the option to turn on or off cloud sync for their OTPs, providing them with more control over their safety.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
