Loose security protecting voice mailboxes at mobile carrier AT&T provided a key element necessary to successfully hack the Google Enterprise Apps account of tech firm CloudFlare, according to an account of the hack posted by CEO Matthew Prince.
Writing on the company’s blog on Monday, Prince said that attackers exploited a business process flaw in AT&T’s voicemail system that allowed them to forward his cell phone to a fraudulent voicemail box they controlled. They then used a pre-recorded voicemail greeting to trick Google’s system into leaving a PIN code necessary to reset Gmail password as a voicemail message – a second critical flaw in that allowed attackers to bypass Google’s two factor authentication system.
Prince said that other security mistakes enabled the attack against CloudFlare, which relies on Google Apps to host both email and apps for CloudFlare.com. They include a flaw in Google’s Enterprise Apps account recovery process that allowed hackers to bypass the two-factor authentication that protected CloudFlare employees accounts on Google Apps.
But CloudFlare itself was to blame. The company regularly copied administrative e-mail accounts on “transactional e-mails” such as password change notifications. That allowed the hackers who got access to Prince’s e-mail account to move even deeper into CloudFlare’s network.
The entire attack, which transpired on June 1, lasted less than two hours, with hackers in control of Prince’s Gmail account for about 1 hour and 35 minutes, and in control of CloudFlare’s email accounts for 28 minutes. Some of that time was spent battling for control with the CEO and other CloudFlare administrators.
CloudFlare is based in San Francisco and provides hosted security and content acceleration services for Web-based businesses. Prince said that his company has changed its internal procedures to stop copying administrators on transactional e-mail and that the company is working with AT&T to address the vulnerability that allowed his voicemail to be rerouted. Google, Prince said, has fixed the vulnerability that allowed attackers to bypass two factor authentication with its Enterprise Apps service.