Gandi security vulnerability: 2FA bypass

Gandi is a French domain name registrar I use for all my domains, which also supports the volunteers behind some FLOSS projects. On Tuesday 27 september 2016 I found a flaw in their login form which allowed to completly bypass two factor authentication (2FA), after you inserted the right handle and password.

It all starts with a broken phone

The day before I found this vulnerability, my phone fell and hit the ground with the corner. The display is now fully cracked and the touch screen doesn't work anymore. I was very frustrated about this, because the other phone I have at home is an old, crappy Android phone (which doesn't work perfectly).

Everything on the phone was backed up, except one thing: the seeds of my 2FA tokens. For most of the sites I have the backup codes saved in my password manager, but Gandi doesn't provide those, and I was worried to be locked out of my account.

A vulnerability discovered out of frustration

I knew my Gandi account had 2FA enabled so, the day after, I went to their website looking for a way to access my account.

I inserted my handle and the correct password on the login form, and I was then prompted for the 2FA token. Some of the websites I use provide a way to disable 2FA, with either a backup code or an SMS to my phone number, but there was none of that in the Gandi website.

Because some websites provide a "Reset password?" thing only after a number of wrong tries, I inserted a dummy token (123456) and sent it. Obviously it didn't work, but out of frustration I started clicking the button multiple times.

After a few seconds of clicking that button with the wrong token, the website logged me in and redirected me to my account page. It was the only time in my life when clicking a button multiple times solved a problem, but it was also a security vulnerability (you can't have only nice things, unfortunately).

Reporting the vulnerability

The bug didn't allow you to log into any account you wanted (as the Dropbox one in 2011 did), because the correct handle and password were still required and checked, but it made the whole 2FA thing useless, since you were able to skip the check.

After replicating the bug on my account multiple times, I started looking around for the Gandi security team's email address to report the vulnerability. I looked for five minutes in their website, but with no luck. I then asked their support team where should I report a security vulnerability, without providing any details.

After a bit more than an hour I received their security team's email address and the instruction to encrypt the message with the GPG key found in the keyservers. While the response time wasn't so bad for a customer support, it would be better if there was a page on their website with all the details.

The Gandi's response

After I sent the encrypted details to the security team's email address, I also tweeted about a possible vulnerability I found. A director of the Gandi's USA office noticed it, and replied to my email acknowledging the report and saying their security team is based in Paris and was asleep, and nobody in the USA had the team's GPG key.

As he requested, I re-encrypted the report with his key, and after less than an hour I received confirmation the bug was found and fixed. They said they can't currently afford a bug bounty program, but two days after they offered to send me a cover for my next phone.

The cause of the vulnerability

When I discovered this, I was quite confused: how is it possible that you can bypass the 2FA check by clicking the submit button multiple times? After they fixed the bug they told me the cause was a mix of two flaws in their website's code:

• When the 2FA checker was unreachable, their website was coded to skip the check and authenticate the user, I guess to avoid blocking the login functionality if there are problems with the 2FA checker, for example after deploying a broken code change

• Due to a problem in the network ACLs, one of the web backends wasn't authorized to communicate with the 2FA checker, marking it as offline and skipping the check because of the previous issue

The combination of these two flaws meant when the load balancer redirected you to the faulty backend, the 2FA check wasn't performed at all. This also explains the "click the button multiple times" thing, since you needed to reach that specific web backend in order to trigger the bug.

Lessons learned

This was the first security vulnerability I found on a company's website, so I experienced the responsible disclosure process for the first time. Reading other disclosures was always a good learning experience for me, because I learnt how to prevent the vulnerabilities other people discovered and reported.

There are some horror stories about disclosures out there, but the Gandi people were fast to reply and fix the bug. The only thing I hope they change is, they don't have any security team contact on their website, but I had to contact the customer support.

I was told they don't want to receive spam in their security team's inbox (but also don't want to lose emails due to the spam filters), and their support team is trained to redirect the reports to the security guys, but even a "contact the support team to report vulnerabilities" somewhere in the website would be great.

Disclosure timeline

I live in Italy, so everything happened in the UTC+2 timezone.

• 2016/09/27 20:30: found the issue on the Gandi website
• 2016/09/27 21:00: contacted Gandi support asking for a security contact
• 2016/09/27 22:15: received the contact information from Gandi support
• 2016/09/27 22:45: sent detailed report to Gandi's security team
• 2016/09/27 23:33: received the first ACK from Gandi
• 2016/09/27 23:43: sent detailed report to Gandi's USA office
• 2016/09/28 00:36: received confirmation the vulnerability was fixed