Popular Community Site Reddit Breached Through Continued Use of NIST-Deprecated SMS Two Factor Authentication (2FA)
Online community site Reddit announced Wednesday that it was breached in June 2018. In a refreshingly candid advisory, it provides a basic explanation of how the incident occurred, details on the extent of the breach, details on its own response, and advice to potential victims.
The extent of the breach was limited. It was discovered on June 19, and occurred between June 14 and June 18, this year. “A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords,” announced Chris Slowe, CTO and founding engineer at Reddit.
With more than 330 million active monthly users, Reddit is home to thousands of online communities where users can share stories and host public discussions.
Apart from the limited extent, it was also limited in scope. “The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs.” This comprises a complete copy of an old database backup including account credentials and email addresses (2005 to 2007); logs containing email digests sent between June 3 and June 17, 2018; and internal data such as source code, internal logs, configuration files and other employee workspace files.
“The disclosure of email addresses and their connected Reddit usernames,” warns Jessica Ortega, a security researcher at SiteLock, “could potentially mean attackers can identify and dox users — that is, release personally identifying information — who rely on Reddit for discussing controversial topics or posting controversial images. It is recommended that all Reddit users update their passwords.”
Reddit’s response to the breach has been to report the incident to, and cooperate with, law enforcement; to contact users who may be impacted; and to strengthen its own privileged access controls with enhanced logging, more encryption and required token-based 2FA. It also advises all users to move to token-based 2FA.
This advice is because it believes the breach occurred through SMS intercept on one of its own employees. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”
This last comment has raised eyebrows. As long ago as 2016, NIST denounced SMS 2FA. “Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators,” it stated in the DRAFT NIST Special Publication 800-63B.
The most common attack against SMS 2FA, explains Joseph Kucic, CSO at Cavirin, is mobile device malware designed to capture/intercept SMS messages — a major feature for use against mobile banking apps. But, he adds, “SMS messages have had other risks: SIM swap and unauthorized access from SS7 (core telco signaling environments) — these issues have been known and discussed in the security circles for years.”
While Reddit doesn’t make it clear whether the ‘intercept’ was via malware on an employee’s mobile device or via flaws in the SS7 telecommunications protocol, the latter seems the most likely. SS7 is a telephony signaling protocol initially developed in 1975, and it has become deeply embedded in mobile telephone routing. As such it is unlikely to be corrected or replaced in the immediate future — but the effect is that almost any mobile telephone conversation anywhere in the world can be intercepted by an advanced adversary.
The fact that SS7 attacks are not run-of-the-mill events makes Tom Kellermann, CSO at Carbon Black, wonder who might be behind the attack. “The Reddit breach seems to be more tradecraft-oriented,” he told SecurityWeek. “They were victimized, but by whom: more than likely a nation-state given their capacity to influence Americans. I hope that they were not used to island hop into other victims’ systems via a watering hole.” According to Carbon Black research, 36% of cyberattacks attempt to leapfrog through the victims’ systems into their customers’ systems.
He is not alone in wondering if there may be more to this breach. “I am concerned that Reddit seems to be playing down the data breach as it was only read access to sensitive data and not write. This is positive news; however, it does not reduce the severity of the data breach when it relates to sensitive data,” comments Joseph Carson, chief security scientist at Thycotic.
Of course, the attack may not have been effected via the SS7 flaws. “In this type of attack, the phone number is the weakest link,” warns Tyler Moffit, senior threat research analyst at Webroot. “Cybercriminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication. For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number. This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax.”
“When Reddit started using SMS for Two Factor Authentication in 2003 it was a best practice,” Joseph Kucic, CSO at Cavirin told SecurityWeek; adding, “The one fact about any security technology is that its effectiveness decreases over time for various reasons — and one needs to take inventory of the deployed security effectiveness at least annually.” He believes that security technologies, just like applications, have a product lifecycle, “and there is a point when an end-of-life should be declared before unauthorized individuals — hackers or nation/state actors — do it for you.”
Reddit has earned plaudits for its breach notification as well as criticism for its continued use of SMS 2FA. “The level of detail Reddit provides,” said Chris Morales, head of security analytics at Vectra, “is more than many larger organizations have provided on much more significant breaches. These details are based on an investigation and explain what happened during the breach — how the attackers infiltrated the network and what exactly they gained access to — and most importantly disclosed Reddit’s internal processes to address the breach, including the hiring of new and expanded security staff.”
Ilia Kolochenko, CEO at High-Tech Bridge, makes the point that despite Reddit’s apparent openness, we still don’t know everything about the breach. “Often, large-scale attacks are conducted in parallel by several interconnected cybercrime groups aimed to distract, confuse and scare security teams,” he comments. “While attack vectors of the first group are being mitigated, others are actively exploited, often not without success. Otherwise, the disclosure and its timeline are done quite well done by Reddit.”
He also cautions against placing too much blame on Reddit’s use of SMS 2FA. “I would refrain from blaming the 2FA SMS — in many cases it’s still better than nothing. Moreover, when most of business-critical applications have serious vulnerabilities varying from injections to RCE, 2FA hardening is definitely not the most important task to take care of.”
Nevertheless, the consensus is that Reddit should be applauded for its disclosure, but censured for its use of SMS 2FA. “Reddit won’t be the last organization to be breached via SMS authentication in the future,” comments Sean Sullivan, security advisor at F-Secure. “At this point, the use of SMS-based MFA for administrators should be considered negligent.”