A team of security researchers from PrivacySavvy recently discovered an OTP vulnerability in Airlift Express, which could lead to account hacks and exploits by cybercriminals.
Fortunately, the company has successfully fixed the security loopholes, but the incident shows the inadequacy of one-time passwords in protecting app users.
PrivacySavvy Labs is a group of researchers whose sole aim is to identify loopholes in the security of web applications that people use every day. They aim to make internets user safe and aware of the threats to their digital security.
This Airlift Express discovery is among the many companies the team has evaluated and helped avoid unnecessary security issues.
Airlift is a Pakistani mass Transit Company also offering online grocery services through its Airlift Express. Recently a group of researchers from Privacysavvy Labs discovered a security bug that could enable hackers to compromise Airlift Express users. According to the researchers, this security bug can provide a loophole for brute force attacks. Hackers can hijack an account on Airlift Express for whatever reasons known to them.
As per the PrivacySavvy report published on March 31st, hackers could perpetrate a brute force attack successfully on Airlift because the system is still using OTPs (one-time passwords). Usually, if you forget your password but want to log into Airlift Express, the system will advise you to click on “forgot password.” Once you do this, you’ll then enter your email address or phone number to open your account using an OTP, which Airlift will send to you.
(Image credit: PrivacySavvy.com)
According to the researchers, hackers can access an Airlift account in the same way. They could get a legit phone number through social engineering and use brute force to get to the right OTP. All they’ll do is try different combinations of numbers until they arrive at the correct one.
When the PrivacySavvy researchers tried the brute force attack on Airlift Express, they reported that it took them only 7 minutes to arrive at the right combination to open an account. Once they made this discovery, they sent an email to the company about the discovery.
As soon as the company got the information, they went to work fixing the security bug capable of compromising its users.
According to the PrivacySavvy report, one-time passwords has proven weak to modern brute force attack. The OTP system was mainly created to identify and authentic users in a way to repel attacks. This is why you might get an SMS OTP on your phone from a website you’re trying to access, and you’ll be required to fill it into the box on the website to confirm your ownership of the account. These OTPs were mainly used to provide additional log-on security for internet users. But unfortunately, hackers defeated the system within a short time. They can now find their ways around it and carry out their nefarious activities against internet users.
One of the things that PrivacySavvy researchers proved in their report was that the OTP system of verification couldn’t withstand brute force attacks. According to the team, brute force attacks are a method used by hackers to crack passwords. They’ll spend their time creating different combinations of numbers until they arrive at the correct one. In their trial, it took within 7mintues to crack the password but sometimes, hackers can spend hours trying to break a strong password.
The researchers also stated that hackers now employ many tools to carry out the brute force attack. Some of the tools they mentioned in their report include a rainbow crack, Ncrack, john the rippers, etc.
PrivaccySavvy researchers also mentioned some significant reasons for the inadequacy of one-time passwords in protecting internet users. They shared a critical study carried out by a group of researchers and what they found out about OTPs.
One of the discoveries in the report is that hackers have gotten more sophisticated and, according to them, are now using unique Trojans to bypass OTPs. They also mentioned other substantial reasons not to depend on one-time passwords in protecting internet users.
As for the solutions that companies can utilize in keeping their users safe from hackers and brute force attacks, PrivacySavvy says:
“Multi-factor authentication offers more security than a simple username and password combinations. That is so because the user must meet specific requirements, usually a) username/password b) have a mobile device; sometimes, a third authentication is needed, too”.
However, PrivacySavvy insists that companies should still be careful while implementing multi-factor authentication. The reason, according to them, is that not all multi-factor authentication is safe. Therefore, any company wishing to use Multi-factor authentication should approach it in the right way.
The researchers also opined that companies should consider using mobile apps or physical tokens in their authentication strategy to get the best results. The researcher also recommends that companies and web developers also consider using Captcha instead of one-time passwords.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Airlift Express)