Drupal.org hopes to deploy two-factor-authentication to enhance the security of the site. This tool will help to ensure that accounts with advanced permissions are only used by the intended individual. The Two Factor Authentication module for Drupal tfa was originally built by Growing Venture Solutions, has been dramatically enhanced to work for Acquia, and is being made “drupal.org-ready” with support from CARD.com.
To help test the security of the module, CARD.com is sponsoring a security bounty of up to $500 with organizing help from Drupal Security Team members Michael Hess, Ben Jeavons and Greg Knaddison.
Target Site Setup
- There is a Drupal 7 site http://live-tfatest.gotpantheon.com/ which has the latest code for TFA and TFA Basic.
- The site has the Security Review and follows all its advice. The site is also running the paranoia module to limit what can be done after logging in.
- There is an administrator account with the username admin and password admin. This account has two-factor-authentication setup using a TOTP. The account has several trusted browsers and has a set of recovery codes.
- The homepage is “node/1” and lists out anyone who has successfully exploited the site (the list is empty at the time this was posted)
Suggestions and scope for exploiting the issue
- We are specifically looking for testing of the Two-factor authentication system including its use of time-based one time passwords, trusted browsers, or one-time-use recovery codes
- Social engineering attacks are out of scope
- There is flood-control in place per IP address that will lock out an IP after a few attempts.
- Man-in-the-middle or other theoretical vulnerabilities that require sniffing a session or gaining access to a previously logged in computer are out of scope.
- You can download the code used on the site at TFA 7.x-2.x-dev and TFA Basic 7.x-1.x-dev. We encourage you to set up your own site and review the code itself to help identify vulnerabilities.
- Brute force attacks will be considered, but are considered lower priority. See note below.
- Vulnerabilities in Drupal core that allow a researcher to achieve the proof of exploit (below) are in scope.
Proof of exploit
- Have bypassed TFA or otherwise gained an authenticated session on the site
- Edit the front page to add some information to indicate you have compromised the account (your name, a link, etc.).
- Submit the details of the exploit via the (https://bugcrowd.com/card) issue tracker. Any vulnerabilities will be released in coordination with the Drupal Security Team policies. Submitting the issue to Bugcrowd lets us easily give bounties to researchers worldwide.
- Send a copy of the report sent to bugcrowd to security@drupal.org
Note on brute-force attacks
- Given that the module allows 6 attempts per hour per IP address, it is likely that you can brute force a TOTP code (1,000,000 combinations) for some amount of money that is likely above the bounty for this exercise, but low enough to make it generally feasible in a targeted attack on a high value target. Discussion of this issue is happening at drupal.org issue queue for tfa. For the purposes of this bounty, a brute-force attack is in scope if it leverages a weakness in this specific TFA implementation to use significantly fewer resources than is generally required for TOTP or 7 digit recovery codes.
We would like to thank Pantheon for hosting the site for purposes of security research.
Deploying TFA to drupal.org
It is very likely that TFA will get deployed to drupal.org. The issue to track that is Deploy TFA on drupal.org which has had a lot of positive feedback. Having more confidence in the security of the module will help move that issue to resolution.
Comments
Quick update:So far, no one
Quick update:
Some big news:
Even though the issue is technically outside of the scope for this bug bounty, we decided to give a reward for it because we feel that it is an important improvement. It also took a bit of effort on the researchers part to download and analyze the code and we want to reward that effort. We also hope that validating and rewarding an issue will encourage other researchers to find and report bugs.
knaddison blog | Morris Animal Foundation
This is "trivially" broken
Ignoring my title, can you post a link to the TFA module code. So I can see how much of a time drain this will be. Also I recently gave a talk giving your exact set up as "how not to do 2FA."
P.S. Account creation is messed up. I can't set/change my password because I currently don't have one. Note this is a known issue for at least two years now (https://www.drupal.org/node/1772880)... Maybe you should fix it.
Code (web
Code (web viewer):
http://cgit.drupalcode.org/tfa/tree/
http://cgit.drupalcode.org/tfa_basic/tree/
Code (Git):
git clone --branch 7.x-2.x http://git.drupal.org/project/tfa.git
git clone --branch 7.x-1.x http://git.drupal.org/project/tfa_basic.git
Where is the account creation messed up? On drupal.org? Or on your local Drupal core development site? Or on groups.drupal.org? Or on the TFA test site? The link your provided is a support request in the general forums, so this is not filed as issue against a particular project.
:)
groups.drupal.org, oops I read the email and when it didn't redirect I just went to the edit page instead of clicking the login button.
"how not"?
Care to elaborate on these claims please?
When we started this bounty
When we started this bounty we were hoping to get experts such as yourself to provide feedback. It's obviously an important and yet tricky thing to get right. These modules were built after analyzing the flow of google, dropbox, github and other companies who provide tfa, though obviously they use different code.
Are there any slides or recordings of your presentations on this topic? I saw from your tweet stream that you presented at blackhat, but it looks like they don't post videos for 6+ months.
There shouldn't be a need to create an account - there is one already created with credentials available in the post above. If creating an account is critical to identifying a vulnerability we can try to find a solution.
It's now been a few days since your initial post and I haven't seen an issue you submitted. Are you still working on it? We plan to close this test-site on September 15th, after which point we'll still give a bounty for weaknesses in these modules, but any researcher will have to build their own site similar to the above if they want to test it in the same way (we'll probably provide some instructions on setup to make that easier).
Thanks again for helping test out these modules!
knaddison blog | Morris Animal Foundation
I just submitted
I meant to do this sooner. The only important things about my talk are:
Hardness: password*2FA (1,000*1,000,000 = 1,000,000,000) vs password+2FA (1,000+1,000,000 = 1,001,000)
Don't leak timing and check both regardless if one failed. Make sure to check all time skews even if one succeeds.
Login process:
Note you can check the second factor first then ask for the password and achieve password*2FA. Unless you have bad random which you do. An attacker would just guess the second factor until it is correct then do offline brute force to then get it down to like one in a few thousand. Once the second pin is guessed correctly you'll have the secret key.
Out of the
threefour bugs I submitted my guess is none will net me a bounty but you should fix them: ECB, the bug in Drupal to bypass rate limit (and use 8 digit codes), and the unlikely to be pulled off in the real world attack against bad random.Right just remembered there was another bug. It's minor, sometimes the secret key and email are sent to Google over https.
Edit: Formatting issue with asdf vs *asdf*
See the issue related to password reset
Here is the issue about password reset that is active now: #889772: following a password reset link while logged in leaves users unable to change their password.
Quick update on TFA security testing
One note that I forgot to put in the initial post: This site will come offline on September 15th, however the bounty for it will remain open.
knaddison blog | Morris Animal Foundation
Final update: no one broke in!
We've put the TFA test site into maintenance mode to mark our testing period complete. No one bypassed the TFA access controls to gain authenticated access to the site!
We did award 5 researchers a bounty for their research and reports (there were 12 reports, 7 invalid or out of scope). These reports will lead to several security hardening improvements to the TFA and basic TFA plugin modules. You can see the issues in these release trackers https://www.drupal.org/node/2241821 and https://www.drupal.org/node/2243871. Also, I tagged beta releases of the modules yesterday: TFA beta1 and Basic TFA plugins beta1. Follow the release trackers to catch updates on full stable releases and on any beta breaking changes.
Finally, we feel this was a successful endeavor that has increased our confidence in the TFA solution for use by drupal.org and anyone that wants to improve security measures for their Drupal site. Thanks very much to those who tested the site and especially to those who reviewed the code and sent us reports!