A 17-year-old hacker known by the name “Tea Pot” sensed a loophole in Uber’s security system, and managed to crack into it. The hacker attacked an employee of Uber by posing as the IT team and sent him push notifications to log in. These notifications were designed to look like Uber’s official ones. The trick for this scam to work was to send multiple and continuous notifications. This sense of urgency caused a MFA Fatigue Attack; where an employee gets hassled by the number of notifications forcing them to take action. Now, that the employee did not respond to these notifications, the hacker sent a WhatsApp message asking him to take action giving the entire ruse a sense of validation.
The employee looking at the WhatsApp message responded to the request with the required details. The hacker then gained access to Uber's intranet and many systems such as Slack, Google Workspace, Confluence, and others. He posted this message on Slack.
The Slack message from the alleged hacker was so brazen that many Uber employees appear to have initially thought it was a joke. Employee responses to the post included lighthearted emoji like sirens and popcorn. The staff were interacting with the hacker thinking they were playing a joke.
This is a conversation between the hacker and a reporter on telegram explaining how he did the hack.
How does MFA Fatigue Attack Works?
Obtaining User Credentials: The attacker first needs to obtain the user's primary credentials, which usually means the username and password. This might be done through phishing, data breaches, or other methods of acquiring user data.
Initiating the Login Process: Using these credentials, the attacker attempts to log in to the user's account. Since the account is protected by multi-factor authentication, this triggers a request for a second form of verification.
Sending MFA Requests: If the second factor is a push-based authentication (like those used by apps such as Google Authenticator or Duo Security), the service sends a push notification to the authenticator app on the registered device asking for approval. The attacker repeatedly initiates login attempts to generate multiple authentication requests, hoping to tire the user into accepting one of them.
User Response: If the user accepts an authentication request, either by mistake or out of annoyance to stop the repeated notifications, the attacker gains access to the account.
This technique is a part of broader MFA fatigue attacks, designed to exploit human error rather than technological weaknesses. It underscores why it's crucial for users to be vigilant about their security practices and only approve authentication requests when they are certain they initiated the action.