This 2FA bypass was a real treat to discover. It all started when I was charging my phone, and didn’t want to get up and go get it from across the room. My solution? Let’s find a way to break it!
A few clicks later, a forgotten development menu was found that bypassed the 2FA requirment for accounts enabled with that feature!
Abine Blur is a password management suite combined with online anonymity tools
II. Problem Description
The Password Manager Extension in Abine Blur 7.8.242* allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data.
Abine Blur 7.8.242* failed to secure the right-click context menu, allowing an attacker with either physical access or remote-desktop access to disclose passwords, emails, and usernames of the victim without triggering a second-factor request.
Access to secured data can lead to secure information exfiltration, a 2FA bypass, and a further undisclosed MacOS(x) disk encryption console bypass (to access secured Abine Blur data).
No workaround, as the vendor has issued a patch.
Update your browser plug-in per your browser vendor’s instructions. Firefox 5x.xx and Chrome 63.x are known to automaticlly update to the latest version.
VI. Timeline of Events
2018-02-13: Discovery of Vulnerability 2018-02-13: Vendor Contacted 2018-02-14: CERT/CC activated for vendor PGP coordination 2018-02-14: Vendor responds (PGP) 2018-02-15: CERT/CC [VU#714299] unable to assist further 2018-02-16: MITRE Contacted for CVE 2018-02-17: MITRE Confirms & Issues CVE (CVE-2018-7213) 2018-02-28: Patch Issued 2018-03-10: Public Disclosure.