Drupal offers bounty for breaking its new two-factor authentication

Developers behind the popular open source content management system, Drupal, want hackers to break its two-factor authentication system for drupal.org before it goes live.

Over a year after the Drupal.org website was hacked, exposing usernames and hashed passwords, Drupal’s developers are preparing to roll out an additional layer of security that would make it harder for attackers to break into accounts with only a compromised username and password combination.

Drupal.org hopes to deploy two-factor-authentication to enhance the security of the site. This tool will help to ensure that accounts with advanced permissions are only used by the intended individual,” said Drupal security team member Greg Knaddison.

CARD.com, a partner of Drupal, is putting up a $50 to $500 bounty on its bugcrowd.com profile for anyone who can break a test site that has been set up for with Drupal’s own two-factor authentication implementation, which uses the Time-based One-time Password Algorithm (TOTP).

Since TOTP is an industry standard protocol, drupal.org users should — assuming Drupal goes ahead with the plan — be able to use Google’s Authenticator app or FreeOTP to generate authentication codes for the site. 

The test target site has an administrator account which uses “admin” for the username and password and has two-factor enabled, requiring a six digit code to gain access.

Knaddison notes that the account has several trusted browsers and a set of recovery codes. So if the attacker can gain access to these, presumably they can bypass the additional security.

The site has also been prepared with realistic precautions, such as rate-limiting login attempts from a single IP address, and other Drupal security modules. 

Drupal is only interested in certain types of attacks, namely those that may break its use of time-based one time passwords, or somehow gain access to the trusted browsers, or one-time-user recovery codes.

As such a number of potential attacks are out of scope, including social engineering, man-in-the-middle attacks or other vulnerabilities that require sniffing a session or gaining access to a previously logged in computer.

Brute force attacks are in scope but only if they exploit a weakness in Drupal’s two-factor implementation to use “significantly fewer resources than is generally required for TOTP or 7 digit recovery codes.”  

According to Knaddison, “It is very likely that TFA will get deployed to drupal.org” and when that happens, Drupal will be looking to prompt users into setting up the additional authentication.

Drupal last year reset all user passwords after discovering unauthorised access to account information on Drupal.org and groups.drupal.org. The issue affected only the two sites, not third-party sites that run on Drupal's CMS. Nonetheless, the breach exposed username, email address, hashed password, and country of users of the two Drupal sites.


Join the CSO newsletter!

Error: Please check your email address.

Tags CARD.comhackedtwo-factor authenticationdevelopersGoogles Authenticatordrupal

More about CMSGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place