Wednesday, 18 March 2015

How To Bypass Two Step Verification Code

How To Bypass Two Step Verification Code? 

Now 2 step authentication are not safe, you guys will shock but its true. The attacker types ../sms in the SMS token field.

Sakurity researchers found the way to bypass the Authy 2 factor Authentication.

Here the details: 

>> The client app encodes it as ..%2fsms and makes an API call to Authy -

>> Path_traversal middleware decodes path to,
splits by slashes and removes the directory in front of /...

>> Actual Authy API sees modified path,
simply sends another SMS to authy_id (the victim) and responds with 200 status and {"success":true,"message":"SMS token was sent","cellphone":"+1-XXX-XXX-XX85"}

>> All Authy SDK libraries consider 200 status as a successful response and let the attacker in. Even a custom integration most likely will look for "success":true in the JSON body, and our /sms response body has it. So the only secure way to verify the response is to search for "token":"is valid" substring (which is what Authy libraries do now).

Yes, the attacker was able to bypass 2 factor authentication on any website using Authy with something as simple as "../sms" in the token field!

Source: Sakurati


  1. Tested on google mail. Not worked :P

  2. Does not work on Google's 2-Step Verification. :d

  3. I tried test on Google's 2-Step Verification, It doesn't work

  4. I do not even wish to try cause I know it not works...
    very poor article

  5. Well, yeah, for you stupid people who doesn't read the source, this was already reported A MONTH AGO

    Timeline: reported on Feb 8, the path_traversal module was patched right away and we waited for a month to let authy-node users to update.

  6. It dosen't work for gmail is there any other method


Toggle Footer