Reply to post: User-supplied paths

Authy 2FA app popped by simple, secret, code

Raumkraut
FAIL

User-supplied paths

Faulty input validation is one thing, and the most obvious that people pick up on, but I can't help feeling that this occurred entirely because of a fundamental wtf in the API design:

It introduces path traversal making attacker’s job much easier - you only need to type '../sms' to turn /verify API call into /sms (/verify/../sms/authy_id) which will always return 200 status and will bypass 2FA,

So they appear to be using an HTTP-based API. In the HTTP protocol there are explicit places for communicating user-supplied variables - in the query string or POST body. So why, for the love of Tim, are they putting the (user-supplied) verification code in the request path?

That's just.... no.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon