Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Kimmax109876yCheck out HMAC, the private key for time based 2fa auth (TOTP) is shared between both parties
-
Not too hard, iirc.
Since in rsa you have two primes, and primes become rarer and rarer when you go up, with a good enough list you might be fine with doing 0.001*sqrt(number)^2 checks with 0.001 being a VERY high estimate for how sparse primes are.
alternatively, you can havea lehmer sieve which can factor immense numbers in a few seconds.
I have never actually tried either, so take this with a grain of salt -
iamroot41216y2 ways they could of done it.
1 hack the actual phones of the users or the token API but that is unlikely in my eyes
The second option I feel is a lot more likely, they had an issue in how they check for 2fa. There are a lot of different ways to do 2fa so they might have fucked it up. This happened with Google before... Kinda if a hacker was able to login to someone's account with their 2fa then they could do a state glitch to indefinitely use a 2fa code that they set even if the user got back into the account. I wrote this just to show the complexity of 2fa and how it can be hacked -
@BinaryByter Sorry, but that doesn't work. Strictly speaking it does, but there are still too many number.
A normal sized key has 617 (decimal) digits. -
Hacking the database with all the secrets?
This doesn't seem to be an attack on authentication mechanism, but rather a normal database leak. -
devTea219106y@sbiewald 617? I know RSA but never heard of the standard size of the prime number to implement, people usually use that high?
-
@devTea 2048 bit.
The two large primes usually have half the length (which is still too large to guess). -
@devTea The RSA has the public key (e, N). N is the product of the two secret prime numbers. e is some other number.
N usually has a size of 2048 bits (or larger). This results in each prime number of having a size of 1024 bits. -
@sbiewald You only need to guess one number, btw. That makes AT UPPER MOST n tests to perforn. Pair that with a good list of prime (easily generated sitg a lehmer sieve) and you are done in a few.
-
@BinaryByter A good list of primes?
Both primes are very large (ideally about the same length), it is impossible (*) to get that large list of them.
There is an uppermost, for sure, but you still need a huge amount.
The square root of 10^657 (note: the actual value of the public key is different, but it doesn't matter much) is 31622776601683793319988935444327185337195551393252168268575048527925944386392382213442481083793002951873472841528400551485488560304538800146905195967001539033449216571792599406.
There are a lot of prime numbers up to that.
(*): With enough time... But I bet you still want to be alive to see the results :) -
@sbiewald I'll put this to the test when i have time, but that number still looks okay to do lol. I might be stupid, lol
-
Secret stealing or factoring is possible, but definitely the hard way.
I'd put my money on sms hijacking. Or if you can social engineer a rep to reset your secret "I broke my phone and now my 2fa app is inaccessible!" They might just hand you the new secret.
Related Rants
-
dder25We need more JS devs for our frontend. After half a year of PM complaining that he doesn’t find devs, he fi...
-
EmberQuill4My team handles infrastructure deployment and automation in the cloud for our company, so we don't exactly dev...
-
Trithon5My code broke for no reason. I added a log statement to see why. *tests code* It worked.... What the 何?!
How does one hack a 2fa authentication?
rant
wk155