Tricking Google Authenticator TOTP with NTP

Because of unsafe NTP practices, internal clocks on remote machines can be manipulated under the right conditions. Once time is altered, expired SSL certificates become valid again and causes HSTS policies to expire.

But what about authentication? Certain TOTP implementations such as popular WordPress plugins also rely on the local timestamp.

This article demonstrates a proof of concept for accessing two-factor authentication protected WordPress dashboards.

The post Tricking Google Authenticator TOTP with NTP appeared first on Rainbow and Unicorn.

This is a Security Bloggers Network syndicated blog post authored by Gabor. Read the original post at: Rainbow and Unicorn