Sunday afternoon, security firm Sakurity disclosed a vulnerability found in the Authy 2 Factor authentication system. This vulnerability presents an interesting security hole that could lead to potential cryptocurrency thefts on sites using Authy two-factor authentication (2FA). Sakurity is based in Hong Kong and routinely performs penetration tests, source code audits, and vulnerability assessments.
The exploit allows a nefarious user to bypass the two-factor authentication process by simply typing “../sms” in the prompt for a 2FA key when attempting to login to an account secured with Authy.
Sakurity discovered the security hole on February 8th and reported the vulnerability to Authy. Authy immediately began to resolve the issue in their Authy software, but required that all sites using the Authy system update their software to address the issue.
Coin Fire has since tested several cryptocurrency sites in order to report which sites may be currently impacted by the security hole. Coin Fire contributors Brendon, Mike, and Leo attempted the exploit on their own accounts at various cryptocurrency sites.
Coinbase and ZenMiner have resolved the security issue on their sites. As of 2:30pm EDT on March 17th, PayBase has not fully resolved the issue on the PayBase website.
While Authy can be used by end users on sites using Google Authenticator, only sites that are directly using the Authy-node system seem to be impacted. Other exchanges, such as Poloniex and Circle, were not impacted by this security issue.
A user attempting to falsely login to another user’s account must still have that individual’s initial login details.