Duo, the security app offering login authentication features, had a serious vulnerability threatening users’ accounts. The vulnerability affected the Duo app’s 2FA feature letting an adversary take over a target account.
Duo App 2FA Vulnerability
Researchers from the Orange Cyberdefense’s SensePost team discovered a serious vulnerability in the 2FA functionality of the Duo app.
Duo is a popular security app that Cisco acquired in 2018. It ensures users’ account security by offering login authentication. For these apps, two-factor authentication forms the core functionality. Hence, vulnerabilities affecting this part can directly threaten the security of all users’ accounts.
One such vulnerability caught the attention of SensePost team during an app analysis. They found that an adversary could potentially exploit the 2FA to target another user’s account.
As demonstrated by the researchers, an authenticated attacker would merely intercept the 2FA of the target victim account to take over it.
While it was a simple 2FA bypass, it did require the adversary to pass user authentication to execute the attack.
The researchers have shared the technical details about the exploit in their blog post.
Patch Deployed
Upon discovering the bug, the researchers reported the matter to Duo authorities.
Consequently, Duo acknowledged the bug that achieved a critical severity rating with a CVSS score of 8.8. Explaining the impact of this flaw in its advisory, Duo stated,
An attacker who had access to a victim’s primary credentials and a Duo user account on the same Duo deployment could bypass second-factor authentication and successfully authenticate to a Duo-protected application as the victim.
In response, Duo fixed the bug and deployed the patch to Duo’s cloud service. Hence, the customers are now safe from this attack and do not have to take any measures to receive the fix.
Yet, keeping the devices and apps updated with the latest version is the best practice to remain safe.