The 4chan breach: How hackers got a password through voicemail

A glitch in Google’s system allowed hackers to circumvent security
Luke Simcoe

Luke Simcoe is a guest blogger. He contributes the occasional post on web culture, the various kooks and cranks who inhabit the Internetas well as copyright matters.

The hackers have sure been busy. In less than 10 days, a slew of social media sites, including LinkedIn, and eHarmony, have had their security breached and user info leaked. Yet, while the mainstream press devoted copious digital ink to these high-profile incidents, it largely missed another more interesting–and worrisome –hack perpetrated this month.

On June 1, the hacktivist group UGNazi hijacked the domain of the notorious imageboard 4chan and redirected visitors to a UGNazi-owned Twitter account. The hackers called 4chan a “playground that allows pedophiles to share their ‘collections’ and the disgusting bronies [fans of the cartoon My Little Pony] to hang out,” but added they had carried out the attack mostly for their own amusement.

Juvenile rhetoric and bravado aside, what makes the 4chan hack interesting is how it was done. UGNazi got to 4chan by attacking the site’s host — a company called CloudFlare — and did so by exploiting a flaw in Google’s authentication system.

“The attack was the result of a compromise of Google’s account security procedures that allowed the hacker to eventually access to my email addresses, which runs on Google Apps,” wrote CloudFlare’s CEO Matthew Prince.

Rather than crack Prince’s password, it seems, UGNazi asked Google for an account reset. This is because, should users forget their password, Google gives them the option of having a new one sent to a mobile phone associated with the account. Prince believes the hackers began the recovery process and then tricked (hackers might say “socially engineered”) AT&T’s support staff into giving them access to his voicemail, where the code would have ended up.

From there, it was a matter of using Prince’s personal email to recover his Google Apps business account. Technically, the additional security Google puts on business accounts — in the form of two-factor authentication — should have prevented this. When UGNazi hackers logged in, they should have been asked for an additional piece of verification. However, a glitch in Google’s system allowed them to circumvent this as well.

“If an administrator account that was configured to send password-reset instructions to a registered secondary email address was successfully recovered, two-step verification would have been disabled in the process,” Google said in a statement.

The search giant has since fixed the problem, but it’s a timely reminder of the inverse relationship between convenience and vulnerability. When our devices and programs are all interconnected, we’re only as secure as the weakest link. In Prince’s case, the keys to his business were available to anyone with access to his voicemail.

If we’re going to take online security seriously, then we’ll have to think about more than just strong passwords; after all, Prince was using a random string of more than 20 characters. We need to put walls up between the different computers we use and stop relying so heavily on so few companies.

We can start by not giving Google our phone number.