Detaylarına http://blog.cloudflare.com/the-four-critical-security-flaws-that-resulte ve http://blog.cloudflare.com/post-mortem-todays-attack-apparent-google-app adreslerinden erişebileceğiniz Cloudflare hacking olayının arka planı ve detayları.
Son zamanlarda gördüğüm en sofistike saldırılardan biri.
Writing that report wasn’t fun, but I believe it is important to share the details of the event so others who may be affected can learn from the events that transpired last Friday. This is not the usual way for the security industry, but we believe it’s the way the security industry should be. To that end, here’s what we know about the hack…
The Four Key Security Flaws
There were four key security flaws that allowed the hack to happen:
- AT&T was tricked into redirecting my voicemail to a fraudulent voicemail box;
- Google’s account recovery process was tricked by the fraudulent voicemail box and left an account recovery PIN code that allowed my personal Gmail account to be reset;
- A flaw in Google’s Enterprise Apps account recovery process allowed the hacker to bypass two-factor authentication on my CloudFlare.com address; and
- CloudFlare BCCing transactional emails to some administrative accounts allowed the hacker to reset the password of a customer once the hacker had gained access to the administrative email account.
Google has publicly stated that the flaw in the Google Enterprise App account recovery process has been patched and you can no longer use it get around two-factor authentication. Again, since any security system is only as strong as its weakest link, we would recommend using an out-of-band authentication that doesn’t rely on the phone company’s network (e.g., Google Authenticator App, not SMS or voice verification)
Cloudflare Hacking Incident Timeline