A series of security glitches, including one in Google App’s account-recovery process, allowed a hacker to breach CloudFlare Inc.’s network last week and attack one of the company’s customers.
CloudFlare CEO and Co-Founder Matthew Prince detailed the attack in a blog post and in an interview with SearchCloudSecurity.com. He declined to identify either the suspected attacker or attackers and the target, but published reports indicate the hacking group UGNazi has taken responsibility for the attack, and the victim customer was believed to be 4Chan, an image-based bulletin board service.
The attack on San Francisco-based CloudFlare, which provides website security and performance services, appeared to start in mid-May, Prince said. That’s when the company noticed signs of someone trying to find vulnerabilities with third-party vendors CloudFlare used. On June 1, AT&T – Prince’s cell phone carrier – was tricked into redirecting his voicemail to a fraudulent voicemail box, he said.
“That was the initial vector that allowed a series of privileged escalations that resulted in the hack,” Prince said. He believes AT&T was possibly compromised through social engineering of its support staff. AT&T did not immediately respond to a request for comment Tuesday.
The attacker then initiated the Gmail account-recovery process for Prince’s personal email. The process triggered Google to call Prince’s phone, but Prince said he didn’t recognize the number and let it go to voicemail. Google’s account-recovery process then was tricked by the fraudulent voicemail box, Prince said, and left an account-recovery PIN that allowed the attacker to reset Prince's Gmail account. CloudFlare has published a detailed timeline of the breach.
Since Prince had listed his personal email address as a recovery email for his CloudFlare email account with Google, the hacker was able to have the password reset sent to his personal email for his corporate account. A flaw in Google’s account-recovery system allowed the hacker to bypass the two-factor authentication on Prince’s CloudFlare account, then access the company's Google Apps administrative panel and initiate a password-reset request for the targeted customer.
In an email, a Google spokesperson said, “We fixed a flaw that, under very specific conditions, existed in the account-recovery process for Google Apps for Business customers. If an administrator account that was configured to send password-reset instructions to a registered secondary email address was successfully recovered, 2-step verification would have been disabled in the process. This could have led to abuse if their secondary email account was compromised through some other means. We resolved the issue last week to prevent further abuse.”
Another flaw, which Prince said CloudFlare takes full responsibility for, was that the company sent a copy of the password-reset requests for debugging purposes to an administrative email account. Prince said that practice of sending certain transactional messages to an administrative account was a mistake that CloudFlare has ceased.
“The hacker was able to access this account in Google Apps and verify the password reset,” he wrote in his blog post. “At that point, the attacker was able to log into the customer’s CloudFlare account and change DNS settings to temporarily redirect the site.”
CloudFlare conducted a full security audit and found no evidence the hacker got beyond the company’s email system or accessed any other customer accounts. CloudFlare’s database was not accessed, Prince said, and the company doesn’t store any credit card information.
Prince told SearchCloudSecurity.com the company felt it was critical to release details about the attack.
“The security industry has always been a place where ostrich-like behavior is encouraged; where you cover up your problems. It’s only through back channels that you hear about these things,” he said. “That’s not the way to improve. If you get attacked, disclose how and why you got attacked and what you’ve done to fix the problem and encourage other companies to take those steps.”
He urged Google Apps users to add two-factor authentication to their accounts, and advised using Google’s Authenticator App instead of a verification method that passes through a phone company’s network.