Google Authenticator Accused by Retool: $15 Million in Cryptocurrency Stolen
Date: 2023-09-18 Author: Dima Zakharov Categories: IN WORLD
The "Dark Pattern" of Google Authenticator
Retool, based in San Francisco, has pointed fingers at a feature recently introduced by Google in April 2023, referring to it as a "dark pattern." They claim that this feature allowed malicious actors to gain access to one-time codes (OTP) stored in the Google Authenticator app, effectively bypassing multi-factor authentication (MFA).
"The fact that Google Authenticator syncs with the cloud is a new attack vector," said Snir Kodesh, the CTO of Retool. "We originally implemented multi-factor authentication. However, thanks to this Google update, what was once multi-factor authentication became, unnoticed by administrators, single-factor authentication."
Retool asserts that the incident, which occurred on August 27, 2023, did not allow unauthorized access to current or managed accounts. This also coincided with the company's transition of its logins to Okta.
The Genesis: SMS Phishing and Voice Impersonation
It all began with an SMS phishing attack targeting Retool's employees, where the malicious actors posed as members of the IT team, instructing recipients to click on what appeared to be a legitimate link to resolve a payroll-related issue.
One employee fell into the phishing trap, leading him to a fake landing page where he was duped into providing his credentials. In the next stage of the attack, hackers called the employee, once again impersonating an IT staff member, and even mimicking his "real voice" to obtain an MFA code.
"The additional OTP token exchanged during the call was crucial because it allowed the attacker to add their own device to the employee's Okta account, enabling them to create their own Okta MFA from that point forward," explained Kodesh. "This allowed them to have an active G Suite [now Google Workspace] session on that device."
The fact that the employee also activated Google Authenticator's cloud synchronization feature enabled the threat actors to gain extended access to the company's internal administration systems, effectively taking control of the accounts belonging to 27 cryptocurrency clients operating in the crypto industry.
"Since control over the Okta account meant control over the Google account, this led to control over all OTPs stored in Google Authenticator," noted Kodesh.
The Aftermath: Stolen Cryptocurrency
Ultimately, the attackers altered the email accounts of these users and reset their passwords. As a result of the breach, Fortress Trust, one of the affected users, lost approximately $15 million in cryptocurrency.
This cyberattack serves as a stark reminder of the evolving sophistication of cyber threats and the importance of constant vigilance and security measures to protect valuable assets in the cryptocurrency realm. Companies must remain proactive in countering such threats to safeguard both their clients and their reputation.
