Popular discussion website Reddit proved this week that its security still isn’t up to snuff when it disclosed yet another security breach that was the result of an attack that successfully phished an employee’s login credentials.
In a post published Thursday, Reddit Chief Technical Officer Chris “KeyserSosa” Slowe said that after the breach of the employee account, the attacker accessed source code, internal documents, internal dashboards, business systems, and contact details for hundreds of Reddit employees. An investigation into the breach over the past few days, Slowe said, hasn’t turned up any evidence that the company’s primary production systems or that user password data was accessed.
“On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees,” Slowe wrote. “As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.”
A single employee fell for the scam, and with that, Reddit was breached.
It’s not the first time a successful credential phishing campaign has led to the breach of Reddit’s network. In 2018, a successful phishing attack on another Reddit employee resulted in the theft of a mountain of sensitive user data, including cryptographically salted and hashed password data, the corresponding user names, email addresses, and all user content, including private messages.
In that earlier breach, the phished employee’s account was protected by a weak form of two-factor authentication (2FA) that relied on one-time passwords (OTP) sent in an SMS text. Security practitioners have frowned on SMS-based 2FA for years because it’s vulnerable to several attack techniques. One is so-called SIM swapping, in which attackers take control of a targeted phone number by tricking the mobile carrier into transferring it. The other phishes the OTP.
When Reddit officials disclosed the 2018 breach, they said that the experience taught them that “SMS-based authentication is not nearly as secure as we would hope” and, “We point this out to encourage everyone here to move to token-based 2FA.”
Fast-forward a few years and it’s obvious Reddit still hasn’t learned the right lessons about securing employee authentication processes. Reddit didn’t disclose what kind of 2FA system it uses now, but the admission that the attacker was successful in stealing the employee’s second-factor tokens tells us everything we need to know—that the discussion site continues to use 2FA that’s woefully susceptible to credential phishing attacks.
The reason for this susceptibility can vary. In some cases the tokens are based on pushes that employees receive during the login process, usually immediately after entering their passwords. The push requires an employee to click a link or a “yes” button. When an employee enters the password into a phishing site, they have every expectation of receiving the push. Because the site looks genuine, the employee has no reason not to click the link or button.
OTPs generated by an authenticator app such as Authy or Google Authenticator are similarly vulnerable. The fake site not only phishes the password, but also the OTP. A fast-fingered attacker, or an automated relay on the other end of the website, quickly enters the data into the real employee portal. With that, the targeted company is breached.
The best form of 2FA available now complies with an industry standard known as FIDO (Fast Identity Online). The standard allows for multiple forms of 2FA that require a physical piece of hardware, most often a phone, to be near the device logging in to the account. Since the phishers logging in to the employee account are miles or continents away from the authenticating device, the 2FA fails.
FIDO 2FA can be made even stronger if, besides proving possession of the enrolled device, the user must also provide a facial scan or fingerprint to the authenticator device. This measure allows for 3FA (a password, possession of a physical key, and a fingerprint or facial scan). Since the biometrics never leave the authenticating device (since it relies on the fingerprint or face reader on the phone), there’s no privacy risk to the employee.
Last year, the world got a real-world case study in the contrast between 2FA with OTPs and FIDO. Credential phishers used a convincing impostor of the employee portal for security firm Twilio and a real-time relay to ensure the credentials were entered into the real Twilio site before the OTP expired (typically, OTPs are valid for a minute or less after they’re issued). After tricking one or more employees into entering their credentials, the attackers were in and proceeded to steal sensitive user data.
Around the same time, content delivery network Cloudflare was hit by the same phishing campaign. While three employees were tricked into entering their credentials into the fake Cloudflare portal, the attack failed for one simple reason: rather than relying on OTPs for 2FA, the company used FIDO.
To be fair to Reddit, there’s no shortage of organizations that rely on 2FA that’s vulnerable to credential phishing. But as already noted, Reddit has been down this path before. The company vowed to learn from its 2018 intrusion, but clearly it drew the wrong lesson. The right lesson is: FIDO 2FA is immune to credential phishing. OTPs and pushes aren’t.
Reddit representatives didn’t respond to an email seeking comment for this post.
People who are trying to decide what service to use and are being courted by sales teams or ads from multiple competing providers would do well to ask if the provider’s 2FA systems are FIDO-compliant. Everything else being equal, the provider using FIDO to prevent network breaches is hands down the best option.