This 2FA bypass was a real treat to discover. It all started when I was charging my phone, and didn’t want to get up and go get it from across the room. My solution? Let’s find a way to break it!

A few clicks later, a forgotten development menu was found that bypassed the 2FA requirment for accounts enabled with that feature!

I. Background

Abine Blur is a password management suite combined with online anonymity tools

II. Problem Description

CVE Description

The Password Manager Extension in Abine Blur 7.8.242* allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data.

Technical

Abine Blur 7.8.242* failed to secure the right-click context menu, allowing an attacker with either physical access or remote-desktop access to disclose passwords, emails, and usernames of the victim without triggering a second-factor request.

III. Impact

Access to secured data can lead to secure information exfiltration, a 2FA bypass, and a further undisclosed MacOS(x) disk encryption console bypass (to access secured Abine Blur data).

IV. Workaround

No workaround, as the vendor has issued a patch.

V. Solution

Update your browser plug-in per your browser vendor’s instructions. Firefox 5x.xx and Chrome 63.x are known to automaticlly update to the latest version.

VI. Timeline of Events

2018-02-13: Discovery of Vulnerability 2018-02-13: Vendor Contacted 2018-02-14: CERT/CC activated for vendor PGP coordination 2018-02-14: Vendor responds (PGP) 2018-02-15: CERT/CC [VU#714299] unable to assist further 2018-02-16: MITRE Contacted for CVE 2018-02-17: MITRE Confirms & Issues CVE (CVE-2018-7213) 2018-02-28: Patch Issued 2018-03-10: Public Disclosure.