Developers behind the popular open source content management system, Drupal, want hackers to break its two-factor authentication system for drupal.org before it goes live.
Over a year after the Drupal.org website was hacked, exposing usernames and hashed passwords, Drupal’s developers are preparing to roll out an additional layer of security that would make it harder for attackers to break into accounts with only a compromised username and password combination.
“Drupal.org hopes to deploy two-factor-authentication to enhance the security of the site. This tool will help to ensure that accounts with advanced permissions are only used by the intended individual,” said Drupal security team member Greg Knaddison.
CARD.com, a partner of Drupal, is putting up a $50 to $500 bounty on its bugcrowd.com profile for anyone who can break a test site that has been set up for with Drupal’s own two-factor authentication implementation, which uses the Time-based One-time Password Algorithm (TOTP).
Since TOTP is an industry standard protocol, drupal.org users should — assuming Drupal goes ahead with the plan — be able to use Google’s Authenticator app or FreeOTP to generate authentication codes for the site.
The test target site has an administrator account which uses “admin” for the username and password and has two-factor enabled, requiring a six digit code to gain access.
Knaddison notes that the account has several trusted browsers and a set of recovery codes. So if the attacker can gain access to these, presumably they can bypass the additional security.
The site has also been prepared with realistic precautions, such as rate-limiting login attempts from a single IP address, and other Drupal security modules.
Drupal is only interested in certain types of attacks, namely those that may break its use of time-based one time passwords, or somehow gain access to the trusted browsers, or one-time-user recovery codes.
As such a number of potential attacks are out of scope, including social engineering, man-in-the-middle attacks or other vulnerabilities that require sniffing a session or gaining access to a previously logged in computer.
Brute force attacks are in scope but only if they exploit a weakness in Drupal’s two-factor implementation to use “significantly fewer resources than is generally required for TOTP or 7 digit recovery codes.”
According to Knaddison, “It is very likely that TFA will get deployed to drupal.org” and when that happens, Drupal will be looking to prompt users into setting up the additional authentication.
Drupal last year reset all user passwords after discovering unauthorised access to account information on Drupal.org and groups.drupal.org. The issue affected only the two sites, not third-party sites that run on Drupal's CMS. Nonetheless, the breach exposed username, email address, hashed password, and country of users of the two Drupal sites.