Which Cryptocurrency Sites Are Impacted by Authy 2FA Security Exploit?
Sunday afternoon, security firm Sakurity disclosed a vulnerability found in the Authy 2 Factor authentication system. This vulnerability presents an interesting security hole that could lead to potential cryptocurrency thefts on sites using Authy two-factor authentication (2FA). Sakurity is based in Hong Kong and routinely performs penetration tests, source code audits, and vulnerability assessments.
The exploit allows a nefarious user to bypass the two-factor authentication process by simply typing “../sms” in the prompt for a 2FA key when attempting to login to an account secured with Authy.
Sakurity discovered the security hole on February 8th and reported the vulnerability to Authy. Authy immediately began to resolve the issue in their Authy software, but required that all sites using the Authy system update their software to address the issue.
Coin Fire has since tested several cryptocurrency sites in order to report which sites may be currently impacted by the security hole. Coin Fire contributors Brendon, Mike, and Leo attempted the exploit on their own accounts at various cryptocurrency sites.
Coinbase and ZenMiner have resolved the security issue on their sites. As of 2:30pm EDT on March 17th, PayBase has not fully resolved the issue on the PayBase website.
https://youtu.be/Iww944vqeno
While Authy can be used by end users on sites using Google Authenticator, only sites that are directly using the Authy-node system seem to be impacted. Other exchanges, such as Poloniex and Circle, were not impacted by this security issue.
A user attempting to falsely login to another user’s account must still have that individual’s initial login details.
99Bitcoins may receive advertising commissions for visits to a suggested operator through our affiliate links, at no added cost to you. All our recommendations follow a thorough review process.
Free Bitcoin Crash Course
Learn everything you need to know about Bitcoin in just 7 days. Daily videos sent straight to your inbox.