isc2.org Website MFA Bypass Vulnerability

grcacademy.io / @Jacob Hill

Bottom Line Up Front

I was trying to log into my isc2.org account, and completely bypassed the MFA I had in place – by accident.

For this vulnerability to be exploited, the following must have been in place:

  • The attacker already compromised the user’s isc2.org password
  • The user hadn’t set up SMS (text messaging) as a MFA method

The attacker could compromise the user’s (ISC)2 account by entering the user’s credentials, registering a phone number during the login flow, and then using the text messaged code.

The video below discusses and demonstrates the issue.

Video demonstrating the MFA bypass

Summary

I was logging into the isc2.org site to vote on their recent controversial bylaws amendment proposal when I accidentally discovered the MFA bypass. (ISC)2 is the organization behind the very popular CISSP certification, which is a highly regarded cybersecurity certification.

I had registered an authenticator app to use as MFA, but hadn’t registered text messaging as a method because… Well, text messaging isn’t secure (ie SIM swapping).

The site let me “Try something else” and REGISTER a NEW phone number – I was in! I just bypassed my own enrolled MFA method!

Timeline

I haven’t been able to confirm this, but it appears this issue was caused by a SSO upgrade that ISC2 made on their website on 7/27/2022.

I reported the issue to them on Tuesday, 10/25/2022, and they called me on Friday, 10/28/2022, to ensure they understood my report. It appeared that they resolved the issue in mid-November, but I finally received confirmation that the issue was resolved on 12/13/2022. I did ask for the exact date that they resolved the issue for my report, but (ISC)2 said they wouldn’t release any further information.

The Details

In case you missed it, here is the video demonstration of this issue.

Here is the configuration of my MFA methods prior to the MFA bypass. Note that I only have “Google Authenticator” enabled.

Enabled MFA methods prior to MFA bypass

Here I am at the (ISC)2 login screen.

(ISC)2 login screen

After entering my username and password, the system prompted me for me a code from the authenticator app. I didn’t have access to the code, so I clicked on “Try Another Method.”

(ISC)2 login screen MFA Prompt

I didn’t remember the methods I had set up, so I tried “SMS Authentication” (which actually wasn’t enabled at this time).

(ISC)2 login screen – “Try another method”

Here is the problem. The site allowed me to register a NEW phone number, and enable the SMS MFA method during the login flow. ANY phone number could be used.

Registering a NEW phone number during the login flow

Here is the text message I received with the code.

The SMS code I received after registering the new phone number

Entering the code I received in the text message.

Entering the code I just received

…And I’m logged in. I just bypassed my own MFA!

Logged in after bypassing the MFA method I had configured

The system did generate an alert indicating that a new MFA method had been activated.

Email alert notifying me that SMS MFA method was activated

Here are the MFA options after enabling “SMS authentication” during the login flow.

Enabled MFA methods after the MFA bypass

Lessons

1. Strong passwords still matter.

As long as we have deal to passwords, they remain an important defense layer. Even with the recent compromise of LastPass, the recommendation to use a password manager still stands:

  • Use a very strong master password
  • Generate very strong and unique passwords for each account

2. MFA isn’t a cure-all.

Unfortunately, this isn’t the first time we’ve seen improper MFA configurations on websites. We’ve also seen MFA defeated in different ways such as compromising MFA tokens.

Don’t neglect the importance of strong passwords.

published almost 2 years ago


Previous

Announcing the CMMC Control Explorer
published almost 2 years ago

Next

NIST 800-171 r3 Update and CMMC
published over 1 year ago
See all items from the same source