A security company is calling out a feature in Google’s authenticator app that it says made a recent internal network breach much worse.
The attack started when a Retool employee clicked a link in a text message purporting to come from a member of the company’s IT team.
It warned that the employee would be unable to participate in the company’s open enrollment for health care coverage until an account issue was fixed.
Shortly afterward, the employee received a phone call from someone who claimed to be an IT team member and had familiarity with the “floor plan of the office, coworkers, and internal processes of our company.” During the call, the employee provided an “additional multi-factor code.” It was at this point, the disclosure contended, that a sync feature Google added to its authenticator in April magnified the severity of the breach because it allowed the attackers to compromise not just the employee’s account but a host of other company accounts as well.
“The additional OTP token shared over the call was critical, because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward,” Retool head of engineering Snir Kodesh wrote.
In an email seeking clarification, Kodesh declined to comment, citing an ongoing investigation by law enforcement.
The original article contains 455 words, the summary contains 226 words. Saved 50%. I’m a bot and I’m open source!