Popular on TelAve
- IRF Builders Forum Brings Global Leaders to Washington, D.C. to Advance Religious Freedom Through Cooperative Engagement
- The ITeam Ranked on Channel Partners 2025 MSP 501—Tech Industry's Most Prestigious List of Managed Service Providers Worldwide
- Keepy Uppy™ by Ollyball Wins Prestigious 2025 Influencer Award from Clamour & The Toy Association; Announces Fall 2025 Launch at Target Stores
- Colorado Scenthound Locations Partner with Humane Colorado to Give Adopted Dogs a "Clean Start"
- databahn Launches GenAI Sales Intelligence Platform to Revolutionize Fortune 500 and Global 2000 Account Research
- NYC Leadership Strategist Stacie Selise Launches Groundbreaking 4S Framework Series to Redefine Executive Excellence
- TCAA Welcomes Adolfo Gomez Sanchez to Its Family of Talented Speakers
- Shop American Made Goods: New Online Marketplace My American Goods Curates the Best of U.S. Made
- Honoring Black History, Culture, and Community in Fall River
- Spartan & Guardians Partner with Guitar Legend Buckethead to Support Global Child Rescue Efforts
Similar on TelAve
- $10 Million Allocated to Establish Crypto Treasury Focused on High Value Ethereum (ETH) & Bitcoin (BTC) as Long-Term Holdings for Cybersecurity Leader
- $100 to $200 Million Equity Agreement with Top Digital Advisor Bitwise to Power Major Digital Asset Initiative for Bitcoin and Solana: OFA Group
- SlickCashLoan Launches Free Loan Calculator to Help You Plan Monthly Payments
- GreenPal Empowers Lawn Care Pros Leveraging AI, Surpasses 5 Million Transactions
- The Blue Luna Encourages Local Schools to Take Steps to Enhance Safety for Students and Staff
- Smart Resnse Unveils Smart Resnse(SRMS) Token-Powered AI Orchestration Platform to Revolutionize Multi-Billion Dollar Market
- Revolutionary Blockchain Platform Okh Finance Announces Okh Finance(OKKH) Token Launch to Transform Global Asset Leasing Market
- DivX Empowers Media Enthusiasts with Free Expert Guides for Advanced MP4 Management
- Assent Expands Executive Team to Accelerate Global Growth & Innovation
- The World's Largest Green Economic Revolution Emerges as Nature, Tech, and Finance Converge
Silent Sector Advises IETF of Major Vulnerability Related to QR Codes Used to Enroll Two-Factor Authentication Processes
TelAve News/10841667
Millions – Perhaps Tens of Millions – of 2FA Credentials at Risk of Exposure. Global Remediation Likely to Cost Billions of Dollars
SCOTTSDALE, Ariz. - TelAve -- A significant exposure related to the use of QR codes in two-factor authentication (2FA) processes has been identified and reported to the Internet Engineering Task Force (IETF) by researchers and analysts at Silent Sector (https://silentsector.com), a cybersecurity services company that specializes in providing tailored risk management solutions to mid-market and emerging companies across various industries, including healthcare, financial services, technology, manufacturing, and defense.
The exploit, discovered by Brian Contario, Principal Cybersecurity Architect at Silent Sector, lies in the fact that the QR codes used for 2FA enrollment contain sensitive information, including a secret key and user identifiers, which can be captured and misused if not properly secured.
"These codes have been present for over a decade, potentially affecting millions of users worldwide. While this vulnerability is not widely recognized, once it becomes more widely known, it will likely emerge as an area of focus for malicious actors," says Contario.
There are a number of ways that bad actors could gain access to the secret key information in the QR codes. Potential caches of the data include email, messaging, or cloud storage repositories where the QR codes or enrollment information have been transmitted or stored.
"Many IT shops, managed service providers (MSPs), as well as other business and technology professionals often store or email these QR codes, leaving them open to discovery. In public places, including airports, cafes and co-working spaces, images of the QR code can be captured simply by using cameras with zoom lenses when QR codes are displayed on screens for enrollment," he says.
More on TelAve News
Scope of the Damage
The potential scale of impact is estimated anywhere from tens to hundreds of millions of affected enrollments. Google Authenticator added support for QR codes approximately 12 years ago.
Millions upon millions of QR code enrollments enabled over the past decade have created a large pool of "data residue" where the digital fingerprints of particular 2FA interactions have been saved and archived.
The enrollment processes were originally designed for hardware security tokens that could securely embed the secret key that were transmitted to physical tokens or other devices.
"However, when this process was adapted for software-based 2FA apps, the secure exchange of the secret key was not properly maintained. As a result, transmitting the QR code can lead to the key being compromised. If attackers gain access to this information, they can potentially use it to bypass the 2FA protection," says Contario. "While the level of awareness of this exploit currently seems to be low – even among IT professionals – the potential for abuse exists," he adds.
Remediation Solution
To address the threat, Silent Sector has developed a fix which involves changing the enrollment process to use a QR code that is paired with a dynamic, one-time URL that directs the authenticator app to retrieve the secret key from a secure server.
"This ensures that the secret key is only sent to the authenticator app, making it more secure. To execute the fix, technology vendors and enterprises that use QR enrollment for multi-factor authentication will need to re-enroll in their 2FA processes using new, secure QR codes," explains Contario.
This way, the secret key is no longer statically embedded in the QR code, but dynamically provided to the authenticator app in a secure manner, preventing the compromise of secure data through the QR code alone.
More on TelAve News
Deploying Remediation at Scale
The biggest remediation challenge revolves around the massive scale of the problem, the risk of exploitation once disclosed and the difficulties in properly notifying and coordinating with all the potentially affected parties.
The issue affects a large number of vendors and systems that have implemented two-factor authentication using QR codes. It is estimated that this issue could affect over a dozen common authenticator apps on the client side. On the server side, there could be hundreds of vendors that need to update their code to address the compromised data.
"There could be millions, tens of millions, or even hundreds of millions of these QR codes out in the wild, making it extremely difficult to notify all affected parties in advance. What's more, existing users who have already enrolled in 2FA using the compromised QR code process must be re-enrolled using the new, more secure process," says Contario.
Economics of Remediation
While the technical fix is not overly complex, the labor-intensive user re-enrollment process across enterprises will be a significant undertaking and involve considerable costs.
Vendors that provide the two-factor authentication software and services will have to take the lead in updating their codes to proactively address the exposure.
For end-user organizations, the major cost will be in the labor required for IT departments to notify and walk users through the process of re-enrolling in two-factor authentication.
"This is likely to be very time-consuming for large organizations and could add up to billions of dollars in enterprise expenditures globally, based on the average hourly rate for IT staff multiplied by the number of individuals that would need to be re-enrolled across many organizations," concludes Contario.
To learn more, please visit: https://datatracker.ietf.org/doc/html/draft-contario-totp-secure-enrollment or Silent Sector's page here, https://silentsector.com/2fa.
The exploit, discovered by Brian Contario, Principal Cybersecurity Architect at Silent Sector, lies in the fact that the QR codes used for 2FA enrollment contain sensitive information, including a secret key and user identifiers, which can be captured and misused if not properly secured.
"These codes have been present for over a decade, potentially affecting millions of users worldwide. While this vulnerability is not widely recognized, once it becomes more widely known, it will likely emerge as an area of focus for malicious actors," says Contario.
There are a number of ways that bad actors could gain access to the secret key information in the QR codes. Potential caches of the data include email, messaging, or cloud storage repositories where the QR codes or enrollment information have been transmitted or stored.
"Many IT shops, managed service providers (MSPs), as well as other business and technology professionals often store or email these QR codes, leaving them open to discovery. In public places, including airports, cafes and co-working spaces, images of the QR code can be captured simply by using cameras with zoom lenses when QR codes are displayed on screens for enrollment," he says.
More on TelAve News
- $10 Million Allocated to Establish Crypto Treasury Focused on High Value Ethereum (ETH) & Bitcoin (BTC) as Long-Term Holdings for Cybersecurity Leader
- Cummings Graduate Institute for Behavioral Health Studies Celebrates New DBH Graduates
- $100 to $200 Million Equity Agreement with Top Digital Advisor Bitwise to Power Major Digital Asset Initiative for Bitcoin and Solana: OFA Group
- New Collaboration Launches Corporate ESG Solution for Responsible Decommissioning and Transparent Reporting
- SlickCashLoan Launches Free Loan Calculator to Help You Plan Monthly Payments
Scope of the Damage
The potential scale of impact is estimated anywhere from tens to hundreds of millions of affected enrollments. Google Authenticator added support for QR codes approximately 12 years ago.
Millions upon millions of QR code enrollments enabled over the past decade have created a large pool of "data residue" where the digital fingerprints of particular 2FA interactions have been saved and archived.
The enrollment processes were originally designed for hardware security tokens that could securely embed the secret key that were transmitted to physical tokens or other devices.
"However, when this process was adapted for software-based 2FA apps, the secure exchange of the secret key was not properly maintained. As a result, transmitting the QR code can lead to the key being compromised. If attackers gain access to this information, they can potentially use it to bypass the 2FA protection," says Contario. "While the level of awareness of this exploit currently seems to be low – even among IT professionals – the potential for abuse exists," he adds.
Remediation Solution
To address the threat, Silent Sector has developed a fix which involves changing the enrollment process to use a QR code that is paired with a dynamic, one-time URL that directs the authenticator app to retrieve the secret key from a secure server.
"This ensures that the secret key is only sent to the authenticator app, making it more secure. To execute the fix, technology vendors and enterprises that use QR enrollment for multi-factor authentication will need to re-enroll in their 2FA processes using new, secure QR codes," explains Contario.
This way, the secret key is no longer statically embedded in the QR code, but dynamically provided to the authenticator app in a secure manner, preventing the compromise of secure data through the QR code alone.
More on TelAve News
- Cellhire boosts its EE offering via deal with BT Wholesale's Complete Mobile
- 24/7 customizable AI answering service from Kell Web Solutions, Inc. helps businesses never miss a customer call, lead, or appointment again
- TikTok Star ArcadeFriends Attempts 24-Hour Claw Machine Marathon at Lucky Puppy Arcade in Las Vegas
- Next-generation virtual receptionist service leverages AI to ensure every customer call and text is answered, enhancing efficiency and engagem
- New AI-Powered Platform from Kell Web Solutions Delivers 24/7 Professional, Automated Call Handling and Appointment Scheduling
Deploying Remediation at Scale
The biggest remediation challenge revolves around the massive scale of the problem, the risk of exploitation once disclosed and the difficulties in properly notifying and coordinating with all the potentially affected parties.
The issue affects a large number of vendors and systems that have implemented two-factor authentication using QR codes. It is estimated that this issue could affect over a dozen common authenticator apps on the client side. On the server side, there could be hundreds of vendors that need to update their code to address the compromised data.
"There could be millions, tens of millions, or even hundreds of millions of these QR codes out in the wild, making it extremely difficult to notify all affected parties in advance. What's more, existing users who have already enrolled in 2FA using the compromised QR code process must be re-enrolled using the new, more secure process," says Contario.
Economics of Remediation
While the technical fix is not overly complex, the labor-intensive user re-enrollment process across enterprises will be a significant undertaking and involve considerable costs.
Vendors that provide the two-factor authentication software and services will have to take the lead in updating their codes to proactively address the exposure.
For end-user organizations, the major cost will be in the labor required for IT departments to notify and walk users through the process of re-enrolling in two-factor authentication.
"This is likely to be very time-consuming for large organizations and could add up to billions of dollars in enterprise expenditures globally, based on the average hourly rate for IT staff multiplied by the number of individuals that would need to be re-enrolled across many organizations," concludes Contario.
To learn more, please visit: https://datatracker.ietf.org/doc/html/draft-contario-totp-secure-enrollment or Silent Sector's page here, https://silentsector.com/2fa.
Source: Silent Sector
Filed Under: Technology
0 Comments
Latest on TelAve News
- Stuck Doing Math or Figuring Out Life's Numbers? Calculator.now Makes It Stupidly Simple
- Colbert Packaging Announces WBENC Recognition
- DivX Empowers Media Enthusiasts with Free Expert Guides for Advanced MP4 Management
- Assent Expands Executive Team to Accelerate Global Growth & Innovation
- The World's Largest Green Economic Revolution Emerges as Nature, Tech, and Finance Converge
- Vinnetwork Unveils Decentralized AI Platform with Vinnetwork(VIN) Token to Challenge Tech Giants' Data Monopoly
- Centennial Flyers to Become Colorado's First Launch Customer for All-Electric B23 Energic Aircraft
- Pyro Marketing Opens New Digital Marketing Company to Power Growth for Fitness and Ecommerce Brands
- Dr. John Salerno of Salerno Wellness Introduces Their New Full Body Capsule for Advanced LED Light Therapy Patient Treatments
- $14M Expansion Deal with Famed David Lloyd Highlights Rebrand of Sports, Entertainment and Gaming Innovation by AI Driven, Online Fan Engagement Co
- Heartfelt Dreams Foundation Launches Campaign to Build CHD Hospital
- Radarsign Tackles Intersection Safety with Launch of Grid-Free Solar LED Stop Sign
- Miami Real Estate Agent Drastically Increases Interest In Homes
- Adostics & Genmega Announce the Introduction of A-POD
- LIB and Nidec Rejoin Forces for Giant TH-0098 Temperature Humidity Test Chamber
- Heritage at South Brunswick Offers Immediate Townhome Appointments and Special Mortgage Incentive Fast-Moving Sales
- NASA Collaborative Agreement for Supply of Thin-Film Solar Tech for Orbital Application to Advance Development of Thin-Film PV Power Beaming: $ASTI
- Exciting New Era of Sports, Entertainment & Gaming Innovation Spotlighted by Rebrand of Expanding AI Driven, Online Fan Engagement Company: SEGG Media
- Service Ninjas Debuts First-of-Its-Kind "Membership" Platform for Home Service Pros
- BIYA Forecasts 2025 Surge with ¥300M ($41.8 M USD) in Revenue and ¥25M Profit from Cloud Based HR Solutions: Baiya Intl. Group (N A S D A Q: BIYA)