reader comments
7 with 0 posters participating
Popular discussion website Reddit proved this week that its security still isn’t up to snuff when it disclosed yet another security breach that was the result of an attack that successfully phished an employee’s login credentials.
In a post published Thursday, Reddit Chief Technical Officer Chris “KeyserSosa” Slowe said that after the breach of the employee account, the attacker accessed source code, internal documents, internal dashboards, business systems, and contact details for hundreds of Reddit employees. An investigation into the breach over the past few days, Slowe said, hasn’t turned up any evidence that the company’s primary production systems or that user password data was accessed.
“On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees,” Slowe wrote. “As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.”
A single employee fell for the scam, and with that, Reddit was breached.
It’s not the first time a successful credential phishing campaign has led to the breach of Reddit’s network. In 2018, a successful phishing attack on another Reddit employee resulted in the theft of a mountain of sensitive user data, including cryptographically salted and hashed password data, the corresponding user names, email addresses, and all user content, including private messages.
In that earlier breach, the phished employee’s account was protected by a weak form of two-factor authentication (2FA) that relied on one-time passwords (OTP) sent in an SMS text. Security practitioners have frowned on SMS-based 2FA for years because it’s vulnerable to several attack techniques. One is so-called SIM swapping, in which attackers take control of a targeted phone number by tricking the mobile carrier into transferring it. The other phishes the OTP.
industry standard known as FIDO (Fast Identity Online). The standard allows for multiple forms of 2FA that require a physical piece of hardware, most often a phone, to be near the device logging in to the account. Since the phishers logging in to the employee account are miles or continents away from the authenticating device, the 2FA fails.
FIDO 2FA can be made even stronger if, besides proving possession of the enrolled device, the user must also provide a facial scan or fingerprint to the authenticator device. This measure allows for 3FA (a password, possession of a physical key, and a fingerprint or facial scan). Since the biometrics never leave the authenticating device (since it relies on the fingerprint or face reader on the phone), there’s no privacy risk to the employee.
hit by the same phishing campaign. While three employees were tricked into entering their credentials into the fake Cloudflare portal, the attack failed for one simple reason: rather than relying on OTPs for 2FA, the company used FIDO.
To be fair to Reddit, there’s no shortage of organizations that rely on 2FA that’s vulnerable to credential phishing. But as already noted, Reddit has been down this path before. The company vowed to learn from its 2018 intrusion, but clearly it drew the wrong lesson. The right lesson is: FIDO 2FA is immune to credential phishing. OTPs and pushes aren’t.
Reddit representatives didn’t respond to an email seeking comment for this post.
People who are trying to decide what service to use and are being courted by sales teams or ads from multiple competing providers would do well to ask if the provider’s 2FA systems are FIDO-compliant. Everything else being equal, the provider using FIDO to prevent network breaches is hands down the best option.