This week's Reddit breach shows the company's security is (still) woefully inadequate
This week's Reddit breach shows the company's security is (still) woefully inadequate
Expand
Getty Images
Popular discussion website Reddit this week proved its security was still not up to snuff when it disclosed another security flaw resulting from an attack that successfully phished employee login credentials.
In a Thursday post, Reddit CTO Chris "KeyserSosa" Slowe said that after the employee's account was breached, the attacker gained access to source code, internal documents, tables internal dashboards, business systems, and contact information for hundreds of Reddit. employees. An investigation into the breach over the past few days, Slowe said, found no evidence that the company's major production systems or user password data was accessed.
>
"On February 5, 2023 (PST), we became aware of a sophisticated phishing campaign that targeted Reddit employees," Slowe wrote. “As with most phishing campaigns, the attacker sent out plausible prompts pointing employees to a website that cloned our intranet gateway behavior, with the intent of stealing credentials and second-in-command tokens. postman."
Only one employee fell for the scam, and with that, Reddit got hacked.
This isn't the first time a successful credential phishing campaign has led to Reddit's network being breached. In 2018, a successful phishing attack against another Reddit employee resulted in the theft of a mountain of sensitive user data, including encrypted and hashed password data, matching usernames, email addresses, mail and all user content, including private messages.
In this earlier breach, the phishing victim's employee account was protected by a weak form of two-factor authentication (2FA) that relied on one-time passwords (OTPs) sent by SMS. Security practitioners have frowned on SMS-based 2FA for years because it is vulnerable to several attack techniques. One is called SIM swapping, in which attackers take control of a targeted phone number by tricking the mobile carrier into porting it. The other is phishing the OTP.
When Reddit officials revealed the 2018 breach, they said they learned from experience that "SMS authentication isn't as secure as we'd hoped" and, "We emphasize that to encourage everyone here to switch to token-based 2FA."
Fast forward a few years and it's obvious that Reddit still hasn't learned the right lessons about securing employee authentication processes. Reddit hasn't revealed what kind of 2FA system it's now using, but the admission that the attacker managed to steal the employee's second factor tokens tells us all we need to know - that the site chat continues to use 2FA which is terribly susceptible to credential phishing attacks.
The reason for this susceptibility can vary. In some cases, the tokens are based on pushes that employees receive during the login process, usually immediately after entering their passwords. Pushing requires an employee to click a link or a "yes" button. When an employee enters the password on a phishing site, they expect to receive the push. Since the site appears genuine, the employee has no reason not to click on the link or button.
OTPs generated by an authentication application such as Authy or Google Authenticator are also vulnerable. The fake site not only phishes the password but also the OTP. A fast attacker or automated relay on the other end of the website quickly enters the data into the real employee portal. With this, the targeted company is hacked.
The best form of 2FA available now conforms to an industry standard known as FIDO (Fast Identity Online). The standard allows several forms of 2FA that require physical hardware, most commonly a phone, near the device logging into the account. Because phishers logging into the employee's account are miles or continents away from the authenticating device, 2FA fails.
FIDO 2FA can be strengthened if, in addition to proving ownership of the enrolled device, the user must also provide a facial scan or fingerprint to the authenticating device. This measure...
Popular discussion website Reddit this week proved its security was still not up to snuff when it disclosed another security flaw resulting from an attack that successfully phished employee login credentials.
In a Thursday post, Reddit CTO Chris "KeyserSosa" Slowe said that after the employee's account was breached, the attacker gained access to source code, internal documents, tables internal dashboards, business systems, and contact information for hundreds of Reddit. employees. An investigation into the breach over the past few days, Slowe said, found no evidence that the company's major production systems or user password data was accessed.
>
"On February 5, 2023 (PST), we became aware of a sophisticated phishing campaign that targeted Reddit employees," Slowe wrote. “As with most phishing campaigns, the attacker sent out plausible prompts pointing employees to a website that cloned our intranet gateway behavior, with the intent of stealing credentials and second-in-command tokens. postman."
Only one employee fell for the scam, and with that, Reddit got hacked.
This isn't the first time a successful credential phishing campaign has led to Reddit's network being breached. In 2018, a successful phishing attack against another Reddit employee resulted in the theft of a mountain of sensitive user data, including encrypted and hashed password data, matching usernames, email addresses, mail and all user content, including private messages.
In this earlier breach, the phishing victim's employee account was protected by a weak form of two-factor authentication (2FA) that relied on one-time passwords (OTPs) sent by SMS. Security practitioners have frowned on SMS-based 2FA for years because it is vulnerable to several attack techniques. One is called SIM swapping, in which attackers take control of a targeted phone number by tricking the mobile carrier into porting it. The other is phishing the OTP.
When Reddit officials revealed the 2018 breach, they said they learned from experience that "SMS authentication isn't as secure as we'd hoped" and, "We emphasize that to encourage everyone here to switch to token-based 2FA."
Fast forward a few years and it's obvious that Reddit still hasn't learned the right lessons about securing employee authentication processes. Reddit hasn't revealed what kind of 2FA system it's now using, but the admission that the attacker managed to steal the employee's second factor tokens tells us all we need to know - that the site chat continues to use 2FA which is terribly susceptible to credential phishing attacks.
The reason for this susceptibility can vary. In some cases, the tokens are based on pushes that employees receive during the login process, usually immediately after entering their passwords. Pushing requires an employee to click a link or a "yes" button. When an employee enters the password on a phishing site, they expect to receive the push. Since the site appears genuine, the employee has no reason not to click on the link or button.
OTPs generated by an authentication application such as Authy or Google Authenticator are also vulnerable. The fake site not only phishes the password but also the OTP. A fast attacker or automated relay on the other end of the website quickly enters the data into the real employee portal. With this, the targeted company is hacked.
The best form of 2FA available now conforms to an industry standard known as FIDO (Fast Identity Online). The standard allows several forms of 2FA that require physical hardware, most commonly a phone, near the device logging into the account. Because phishers logging into the employee's account are miles or continents away from the authenticating device, 2FA fails.
FIDO 2FA can be strengthened if, in addition to proving ownership of the enrolled device, the user must also provide a facial scan or fingerprint to the authenticating device. This measure...
Expand
Getty Images
![Three of ID's top PR executives quit ad firm Powerhouse [EXCLUSIVE]](https://variety.com/wp-content/uploads/2023/02/ID-PR-Logo.jpg?#){kind=logo}
