Christine Lemmer-Webber
Keybase CEO talking about Slack being compromised and how it affected them https://keybase.io/blog/slack-incident
But here's the really interesting bit:
> Though Slack originally told me 2FA would provide "a bit of extra security," these new data show otherwise. If the attackers inject server code, 2FA or U2F or any Web-based security practice does little.
2FA helps protect against password reuse, not much else.
Christine Lemmer-Webber
Let me explain that last sentence: you can MiTM 2FA.
Christine Lemmer-Webber
Let me explain that last sentence explaining the previous sentence:
- MiTM: Man in The Middle attack https://en.wikipedia.org/wiki/Man-in-the-middle_attack
- 2FA: two-factor-auth (most popularly, "let me send this text to your phone", though there are other methods)
Astra: Zero Luma
@cwebber ummm... That's not a MiTM. Like, if the code of a service is compromised, that is Game Over and you're helpless as a user.
There's steps you can take to prevent this as an operator.
I've only seen man in the middle to refer to "i control the network between you and the service." I've never seen it refer to "I've compromised the service."
Jeff
@cwebber
In this case, the mitm did not appear to affect 2fa. Given the nature of the attack, they would have had to steal 2fa secrets for them to be able to attack 2fa accounts, which it does appear they did.
Astra: Zero Luma
@cwebber also, with that specific definition of MiTM, some 2fa can be.
If you trust your browser has not been compromised and the TLS ecosystem is intact, otp and sms can be MiTM, while u2f cannot be.
(U2f does a bunch of device-side crypto that incorporates the host information)
Chirp! is a social network. It runs on GNU social, version 2.0.1-beta0, available under the GNU Affero General Public License.
All Chirp! content and data are available under the Creative Commons Attribution 3.0 license.