Hacker News new | past | comments | ask | show | jobs | submit login

Seems like two factor authentication here would have helped.



How?


Because the backdoor was logging fb developer credentials. The stolen creds would not be useful with two-factor required every time.


If the attacker has control of the box, he can just man-in-the-middle a two-factor token.

It would certainly require the attacker to be a little more proactive, but it would hardly stop the credentials from being useful.


But he did not have access to the box with the 2FA. The attack just had access to a box hosting software from a third party, completely isolated from FB's infrastructure.

With the passwords, however, he might have gotten access to the VPN or services. 2FA would have certainly helped.

This is of course only interesting if the passwords were reused (even the most security minted folks do that). If a third party vendor does not support 2FA, or when dealing with legacy code, it believe it is good practice to only use randomly generated passwords by password managers.


They were able to snarf passwords plaintext.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: