• ugjka@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    I realized long time ago that I don’t want my 2FA be tied to my phone number. And then i found you can’t export your data from Authy because they know they are scummy fucks and don’t want to anyone to leave

    • maryjayjay@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      4 months ago

      You can, though. But not through their app. Someone reverse engineered their protocol and wrote a program that connects like a new client, which you then approve, and it dumps all your random seeds into a text file. I then put them all into Keepass.

      Edit: Unfortunately, the author has deprecated the project as Authy has added some attestations to their API, seemingly for this exact issue. https://github.com/alexzorin/authy?tab=readme-ov-file

  • kitnaht@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    4 months ago

    ‘hacked’. Eh. There was an API endpoint left open that allowed them to basically just spam it with no rate limiting. They used the lack of a rate limit to just pull the data out of the API that it was made to produce.

    • just_another_person@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      4 months ago

      Yeah. They got data in a way that was not intended. That’s a hack. It’s not always about subverting something by clickity-clacking like in the movies.

      • kitnaht@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        4 months ago

        Exploit. The system worked as intended, just without a rate limit. A hack would be relying on a vulnerability in the software to make it not function as programmed.

        It’s the difference between finding a angle in a game world that causes your character to climb steeper than it should, vs rewriting memory locations to no-clip through everything. One causes the system to act in a way that it otherwise wouldn’t (SQL injections, etc) – the other, is using the system exactly as it was programmed.

        Downloading videos from YouTube isn’t “Hacking” YouTube. Even though it’s using the API in a way it wasn’t intended. Right-clicking a webpage and viewing the source code isn’t hacking - even if the website you’re looking at doesn’t want you looking at the source.

        • 0xD@infosec.pub
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          4 months ago

          A missing rate limit is a vulnerability, or a weakness, depending on the definition. You’re playing smart without having an idea of what you’re talking about. Here you go:

          https://cwe.mitre.org/data/definitions/799.html

          YouTube videos are public, and as such it’s not really hacking. If you were able to download private videos, for example, it would be a vulnerability like “Improper Access Control”. It does not matter in the least whether you use an “exploit” in your definition (which is wrong) or “just increment the video ID”.

          The result is a breach of confidentiality, and as such this is to be classified as a “hack”.

      • NateNate60@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        With due respect, you are wrong.

        hack

        1. (transitive, slang, computing) To hack into; to gain unauthorized access to (a computer system, e.g., a website, or network) by manipulating code

        Hacking means gaining unauthorized access to a computer system by manipulating or exploiting its code.

        Wiktionary

          • NateNate60@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            They did not do it by manipulating code. This wasn’t the result of a code vulnerability. If you leave the door wide open with all your stuff out for the entire neighbourhood to see, you can’t claim you were “broken into”. Similarly, if you don’t secure your endpoints, you can’t claim you were “hacked”.

            • sudneo@lemm.ee
              link
              fedilink
              English
              arrow-up
              0
              ·
              4 months ago

              Lack of rate limiting is a code vulnerability if we are talking about an API endpoint.

              Not that discussion makes any sense at all…

              Also, “not securing” doesn’t mean much. Security is not a boolean. They probably have some controls, but they still have a gap in the lack of rate limiting.

              • NateNate60@lemmy.world
                link
                fedilink
                English
                arrow-up
                0
                ·
                4 months ago

                It is a vulnerability, but exploiting that vulnerability is not generally considered by security experts to be “hacking” in the usual meaning of that term in academic settings. Using an open or exposed API, even one with a sign that says “don’t abuse me”, is generally not considered hacking.