NetKnights privacyIDEA Authenticator OTP Seed Disclosure Vulnerability

A vulnerability in NetKnights GmbH privacyIDEA Authenticator for Android, specifically in version 4.3.0, allows local attackers with root access to bypass two-factor authentication. This is achieved by intercepting and decrypting one-time password (OTP) secrets using a hooked instrumentation framework, such as Frida. The extracted plaintext OTP seeds can be used to generate valid one-time passwords, effectively circumventing authentication for enrolled accounts.

Impact

Exploitation of this vulnerability leads to the disclosure of OTP seeds, allowing for the generation of valid one-time passwords and bypassing two-factor authentication on compromised devices.

Reproduction

To reproduce this vulnerability, a local attacker must have root access on the Android device. Once the device is rooted, the attacker can attach Frida to the privacyIDEA Authenticator app process. After injecting a script that hooks into the app's cryptographic functions, the Frida tool can intercept the decryption of stored OTP seeds. These seeds can then be extracted from the app's memory and used to generate valid one-time passwords.

Remediation

Users are advised to treat rooted or compromised devices as untrusted. Implement device-integrity checks and, for enhanced security, use hardware-backed, non-exportable keys or external tokens to manage OTP secrets, minimizing their plaintext exposure in memory.