Corporate Partners

Drupal offers bounty for breaking its new two-factor authentication

Developers behind the popular open source content management system, Drupal, want hackers to break its two-factor authentication system for drupal.org before it goes live.

Over a year after the Drupal.org website was hacked, exposing usernames and hashed passwords, Drupal’s developers are preparing to roll out an additional layer of security that would make it harder for attackers to break into accounts with only a compromised username and password combination.

Drupal.org hopes to deploy two-factor-authentication to enhance the security of the site. This tool will help to ensure that accounts with advanced permissions are only used by the intended individual,” said Drupal security team member Greg Knaddison.

CARD.com, a partner of Drupal, is putting up a $50 to $500 bounty on its bugcrowd.com profile for anyone who can break a test site that has been set up for with Drupal’s own two-factor authentication implementation, which uses the Time-based One-time Password Algorithm (TOTP).

Since TOTP is an industry standard protocol, drupal.org users should — assuming Drupal goes ahead with the plan — be able to use Google’s Authenticator app or FreeOTP to generate authentication codes for the site. 

The test target site has an administrator account which uses “admin” for the username and password and has two-factor enabled, requiring a six digit code to gain access.

Knaddison notes that the account has several trusted browsers and a set of recovery codes. So if the attacker can gain access to these, presumably they can bypass the additional security.

The site has also been prepared with realistic precautions, such as rate-limiting login attempts from a single IP address, and other Drupal security modules. 

Drupal is only interested in certain types of attacks, namely those that may break its use of time-based one time passwords, or somehow gain access to the trusted browsers, or one-time-user recovery codes.

As such a number of potential attacks are out of scope, including social engineering, man-in-the-middle attacks or other vulnerabilities that require sniffing a session or gaining access to a previously logged in computer.

Brute force attacks are in scope but only if they exploit a weakness in Drupal’s two-factor implementation to use “significantly fewer resources than is generally required for TOTP or 7 digit recovery codes.”  

According to Knaddison, “It is very likely that TFA will get deployed to drupal.org” and when that happens, Drupal will be looking to prompt users into setting up the additional authentication.

Drupal last year reset all user passwords after discovering unauthorised access to account information on Drupal.org and groups.drupal.org. The issue affected only the two sites, not third-party sites that run on Drupal's CMS. Nonetheless, the breach exposed username, email address, hashed password, and country of users of the two Drupal sites.

 

Join the CSO newsletter!

Error: Please check your email address.

Tags hackedCARD.comtwo-factor authenticationdevelopersGoogles Authenticatordrupal

More about CMSGoogle

3 Comments

Greg Knaddison

1

Thanks for writing about this updated TFA module and the security bug bounty.

I also encourage anyone who has a Drupal site to install and test out the module for themself. Admins around the world should be installing and configuring the module to increase the security of their site.

Hitoshi Anatomi

2

If the system is perfectly hacker-proof, physical tokens and phones are easily lost and stolen. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

Oxford-Biochron

3

A new technology called "Bio-Chronometrics" from Oxford-Biochron allows passive user authentication via type, touch, click, with any device (phone, web, or tablet). This will help fight spam robots and speed up user entry. They also have a WordPress plugin called NoMoreCaptchas which allows a real user to log-in with out those old captcha words. I would say this is the future of authentication.

Comments are now closed

Market Place