Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is really important news. It was mostly social engineering hacking, but it seems to have been very clever. It's important to notice that it wasn't a flaw in two factor authentication itself, but on the recovery options.

I really hate the recovery options. I don't know what they are there. If I forgot my password, my recovery e-mail, I don't want to answer questions to be sure it was me. Who knows how this exactly worked, but it sure seems to be a problem with that logic.



So it seems that there was a bug in the two factor authentication affecting "some accounts" during the recovery procedure (see the update to the article). Slightly worrying that the two factor authentication can be bypassed when resetting a password.


But even after resetting the password, two factor authentication is needed to log in right? How was that bypassed?


The blog author didn't actually have two factor authentication enabled. The headline is wrong.


You are incorrect, quote from the article:

all CloudFlare.com accounts use two-factor authentication. We are still working with Google to understand how the hacker was able to reset the password without providing a valid two-factor authentication token.


He didn't have it for his personal account. But he did have it for cloudfare.com accounts.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: