Pietro Albini

Gandi security vulnerability: 2FA bypass

Written on October 2, 2016.

Gandi is a French domain name regis­trar I use for all my domains, which also supports the volun­teers behind some FLOSS projects. On Tues­day 27 septem­ber 2016 I found a flaw in their login form which allowed to completly bypass two factor authen­ti­ca­tion (2FA), after you inserted the right handle and password.

It all starts with a broken phone

The day before I found this vulner­a­bil­i­ty, my phone fell and hit the ground with the corner. The display is now fully cracked and the touch screen does­n’t work anymore. I was very frus­trated about this, because the other phone I have at home is an old, crappy Android phone (which does­n’t work perfectly).

Every­thing on the phone was backed up, except one thing: the seeds of my 2FA tokens. For most of the sites I have the backup codes saved in my pass­word manager, but Gandi does­n’t provide those, and I was worried to be locked out of my account.

A vulnerability discovered out of frustration

I knew my Gandi account had 2FA enabled so, the day after, I went to their website look­ing for a way to access my account.

I inserted my handle and the correct pass­word on the login form, and I was then prompted for the 2FA token. Some of the websites I use provide a way to disable 2FA, with either a backup code or an SMS to my phone number, but there was none of that in the Gandi website.

Because some websites provide a “Reset pass­word?” thing only after a number of wrong tries, I inserted a dummy token (123456) and sent it. Obvi­ously it didn’t work, but out of frus­tra­tion I started click­ing the button multi­ple times.

After a few seconds of click­ing that button with the wrong token, the website logged me in and redi­rected me to my account page. It was the only time in my life when click­ing a button multi­ple times solved a prob­lem, but it was also a secu­rity vulner­a­bil­ity (you can’t have only nice things, unfortunately).

Reporting the vulnerability

The bug didn’t allow you to log into any account you wanted (as the Drop­box one in 2011 did), because the correct handle and pass­word were still required and checked, but it made the whole 2FA thing useless, since you were able to skip the check.

After repli­cat­ing the bug on my account multi­ple times, I started look­ing around for the Gandi secu­rity team’s email address to report the vulner­a­bil­i­ty. I looked for five minutes in their website, but with no luck. I then asked their support team where should I report a secu­rity vulner­a­bil­i­ty, with­out provid­ing any details.

After a bit more than an hour I received their secu­rity team’s email address and the instruc­tion to encrypt the message with the GPG key found in the keyservers. While the response time wasn’t so bad for a customer support, it would be better if there was a page on their website with all the details.

The Gandi’s response

After I sent the encrypted details to the secu­rity team’s email address, I also tweeted about a possi­ble vulner­a­bil­ity I found. A direc­tor of the Gandi’s USA office noticed it, and replied to my email acknowl­edg­ing the report and saying their secu­rity team is based in Paris and was asleep, and nobody in the USA had the team’s GPG key.

As he request­ed, I re-en­crypted the report with his key, and after less than an hour I received confir­ma­tion the bug was found and fixed. They said they can’t currently afford a bug bounty program, but two days after they offered to send me a cover for my next phone.

The cause of the vulnerability

When I discov­ered this, I was quite confused: how is it possi­ble that you can bypass the 2FA check by click­ing the submit button multi­ple times? After they fixed the bug they told me the cause was a mix of two flaws in their website’s code:

The combi­na­tion of these two flaws meant when the load balancer redi­rected you to the faulty back­end, the 2FA check wasn’t performed at all. This also explains the “click the button multi­ple times” thing, since you needed to reach that specific web back­end in order to trig­ger the bug.

Lessons learned

This was the first secu­rity vulner­a­bil­ity I found on a compa­ny’s website, so I expe­ri­enced the respon­si­ble disclo­sure process for the first time. Read­ing other disclo­sures was always a good learn­ing expe­ri­ence for me, because I learnt how to prevent the vulner­a­bil­i­ties other people discov­ered and reported.

There are some horror stories about disclo­sures out there, but the Gandi people were fast to reply and fix the bug. The only thing I hope they change is, they don’t have any secu­rity team contact on their website, but I had to contact the customer support.

I was told they don’t want to receive spam in their secu­rity team’s inbox (but also don’t want to lose emails due to the spam filter­s), and their support team is trained to redi­rect the reports to the secu­rity guys, but even a “con­tact the support team to report vulner­a­bil­i­ties” some­where in the website would be great.

Disclosure timeline

I live in Italy, so every­thing happened in the UTC+2 timezone.