Bottom Line Up Front
I was trying to log into my isc2.org account, and completely bypassed the MFA I had in place – by accident.
For this vulnerability to be exploited, the following must have been in place:
- The attacker already compromised the user’s isc2.org password
- The user hadn’t set up SMS (text messaging) as a MFA method
The attacker could compromise the user’s (ISC)2 account by entering the user’s credentials, registering a phone number during the login flow, and then using the text messaged code.
The video below discusses and demonstrates the issue.
I was logging into the isc2.org site to vote on their recent controversial bylaws amendment proposal when I accidentally discovered the MFA bypass. (ISC)2 is the organization behind the very popular CISSP certification, which is a highly regarded cybersecurity certification.
I had registered an authenticator app to use as MFA, but hadn’t registered text messaging as a method because… Well, text messaging isn’t secure (ie SIM swapping).
The site let me “Try something else” and REGISTER a NEW phone number – I was in! I just bypassed my own enrolled MFA method!
I haven’t been able to confirm this, but it appears this issue was caused by a SSO upgrade that ISC2 made on their website on 7/27/2022.
I reported the issue to them on Tuesday, 10/25/2022, and they called me on Friday, 10/28/2022, to ensure they understood my report. It appeared that they resolved the issue in mid-November, but I finally received confirmation that the issue was resolved on 12/13/2022. I did ask for the exact date that they resolved the issue for my report, but (ISC)2 said they wouldn’t release any further information.
In case you missed it, here is the video demonstration of this issue.
Here is the configuration of my MFA methods prior to the MFA bypass. Note that I only have “Google Authenticator” enabled.
Here I am at the (ISC)2 login screen.
After entering my username and password, the system prompted me for me a code from the authenticator app. I didn’t have access to the code, so I clicked on “Try Another Method.”
I didn’t remember the methods I had set up, so I tried “SMS Authentication” (which actually wasn’t enabled at this time).
Here is the problem. The site allowed me to register a NEW phone number, and enable the SMS MFA method during the login flow. ANY phone number could be used.
Here is the text message I received with the code.
Entering the code I received in the text message.
…And I’m logged in. I just bypassed my own MFA!
The system did generate an alert indicating that a new MFA method had been activated.
Here are the MFA options after enabling “SMS authentication” during the login flow.
1. Strong passwords still matter.
As long as we have deal to passwords, they remain an important defense layer. Even with the recent compromise of LastPass, the recommendation to use a password manager still stands:
- Use a very strong master password
- Generate very strong and unique passwords for each account
2. MFA isn’t a cure-all.
Unfortunately, this isn’t the first time we’ve seen improper MFA configurations on websites. We’ve also seen MFA defeated in different ways such as compromising MFA tokens.
Don’t neglect the importance of strong passwords.