Date: 2012-06-04

CloudFlare, a CDN and security proxy company, had their service compromised due to flawed password and two-factor authentication reset process in GMail.

Matthew Prince, the CEO of CloudFlare, had his personal Google email account hacked. The account was protected by two-factor authentication.

Google offers two-factor authentication on their web based email a.k.a. GMail. Two-factor authentication should protect against cases where the attacked somehow gains access to the account password. In this case, the two-factor authentication is believed to be reset through social engineering AT&T customer support. Prince’s voicemail message was modified by the attacker in order to receive and record an automated phone call from Google with a audible code that could be used to reset his account credentials.

The personal email account of Prince was the recovery email for Google Apps for Business. After gaining the access to Apps, the attacker could read some transaction email traffic, including password reset emails, which was BCC’ed to CloudFlare team. BCC email feature was for error diagnostics. The attacker performed password reset on account, grabbed the password reset email, logged in to 4Chan account and then was able to redirect all traffic to a page under the control of the attacker.

After the incidence Google changed their password and two-factor authentication reset procedures.

Related evaluation points: