This is a follow-up on the previous post Brute-Forcing Borrowers’ PINs at the Swedish Board of Student Finance (CSN) where I describe some vulnerabilities discovered in August 2020 and the response from CSN. It seems I missed another problem with the CAPTCHA though. And it was right in front of my eyes…

The Swedish Board of Student Finance CSN is the government agency that manages Swedish student finance, i.e. grants and loans for studies. They also manage driving licence loans and home equipment loans. (Source)

This is the story of when I found two security vulnerabilities in their login functionality and reported it to them.

This is the story on how I discovered that Yubico used an invalid certificate chain in their Personal Identity Verification (PIV) attestation feature on YubiKey 4.3 and YubiKey NEO, which could only be solved by a new hardware release. The impact for users and organizations is that the certificate chain will be deemed invalid by tools that verifies the chain properly, such as OpenSSL version 1.1.0 and later. Yubico has published a custom Python script that can be used to verify their attestation certificate chains.

You probably use an “authenticator app” such as Google Authenticator to enable two-step verification (sometimes called two-factor authentication, 2FA, or multi-factor authentication, MFA) for an online account. The method is called Time-Based One-Time Password Algorithm (TOTP) and is standardized in RFC 6238. In October 2017 when I evaluated HashiCorp Vault for generating and storing TOTP secrets for a system at work I realized that the Android version and iOS version of Google Authenticator differed a lot when it comes to which modes are supported.

TL;DR: This post has a lot of details. Skip to the Summary if you know the challenge and are here just for the solution. Door icon made by Freepik from www.flaticon.com is licensed by CC 3.0 BY. Between Christmas and New Year’s I attended the 35th Chaos Communication Congress (CCC), 35C3, in Leipzig, Germany, together with Malmö based Xil hackerspace. It was my third congress (in a row). Since 2012 there has been a Capture The Flag (CTF) competition at congress.

Inpired by Hackeriet’s blog where Alexander Kjäll use to post CTF write-ups, I’ve decided to create a personal one for myself. Focus will be on IT security. Hackeriet’s blog is powered by Jekyll which is a static site generator written in Ruby. See their post Creating a fast blog for how they set up their blog. I have decided to try another static site generator called Hugo, which is written in Go.