Subscribe to receive notifications of new posts:

The Four Critical Security Flaws that Resulted in Last Friday's Hack

2012-06-04

2 min read

A core value CloudFlare is that security information should be shared between organizations to make the entire Internet safer. That is how CloudFlare's systems work: if one site is attacked, data about that attack is immediately shared with the rest of the network so other sites can be safe. We believe that same core value should apply when we are the victim of the attack. That is why we immediately posted an incident report and have continue to update it as we learn more.

Writing that report wasn't fun, but I believe it is important to share the details of the event so others who may be affected can learn from the events that transpired last Friday. This is not the usual way for the security industry, but we believe it's the way the security industry should be. To that end, here's what we know about the hack.

The Four Key Security Flaws

There were four key security flaws that allowed the hack to happen:

  1. AT&T was tricked into redirecting my voicemail to a fraudulent voicemail box;

  2. Google's account recovery process was tricked by the fraudulent voicemail box and left an account recovery PIN code that allowed my personal Gmail account to be reset;

  3. A flaw in Google's Enterprise Apps account recovery process allowed the hacker to bypass two-factor authentication on my CloudFlare.com address; and

  4. CloudFlare BCCing transactional emails to some administrative accounts allowed the hacker to reset the password of a customer once the hacker had gained access to the administrative email account.

Patching the Holes

We are following up with AT&T to understand more about how the voicemail was redirected. That remains unsettling, but it is not surprising that a phone company's voicemail security procedures are lax. It is also unsettling that Gmail's account recovery process appears to still be vulnerable to the voicemail hack. That is troubling since it means if a hacker knows your phone number then your Gmail account may, at best, only be as secure as your voicemail PIN.

You can mitigate these risk if you are a user by enabling two-factor authentication, ideally relying on Google's Authenticator App rather than anything that passes through the phone company's network. While Google is advising otherwise, I have removed my phone number from all my Google accounts.

Google has publicly stated that the flaw in the Google Enterprise App account recovery process has been patched and you can no longer use it get around two-factor authentication. Again, since any security system is only as strong as its weakest link, we would recommend using an out-of-band authentication that doesn't rely on the phone company's network (e.g., Google Authenticator App, not SMS or voice verification).

Finally, CloudFlare has stopped BCCing password reset and other transactional messages to administrative accounts, closing that attack vector if an administrator's email account is compromised in the future. If you're doing that at your company, and a troubling number of companies do use email as a poor man's logs, you should stop. This incident is why.

Timeline

The event, from start to finish, lasted less than 2 hours. The hackers were in my personal Gmail account for about 1 hour 35 minutes. They were in CloudFlare's email accounts for about 28 minutes, although likely interrupted several times as our ops team reset passwords and sessions. To better understand the hack, we put together the visual timeline below which is our best understanding of the events as they transpired. As we learn more, we'll update the information here and on the official incident report.

The Four Critical Security Flaws that Resulted in Last Friday's
Hack
Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
Post MortemAttacks

Follow on X

Matthew Prince|@eastdakota
Cloudflare|@cloudflare

Related posts

November 20, 2024 10:00 PM

Bigger and badder: how DDoS attack sizes have evolved over the last decade

If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps). ...

October 02, 2024 1:00 PM

How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Over the past couple of weeks, Cloudflare's DDoS protection systems have automatically and successfully mitigated multiple hyper-volumetric L3/4 DDoS attacks exceeding 3 billion packets per second (Bpps). Our systems also automatically mitigated multiple attacks exceeding 3 terabits per second (Tbps), with the largest ones exceeding 3.65 Tbps. The scale of these attacks is unprecedented....

September 27, 2024 1:00 PM

Network trends and natural language: Cloudflare Radar’s new Data Explorer & AI Assistant

The Cloudflare Radar Data Explorer provides a simple Web-based interface to build more complex API queries, including comparisons and filters, and visualize the results. The accompanying AI Assistant translates a user’s natural language statements or questions into the appropriate Radar API calls....