Authentication / Weaker Authentication in Alternative Channel

Description

Weaker Authentication in Alternative Channel (CWE-287) is a vulnerability in authentication that occurs when an alternative authentication channel is used with a weaker authentication mechanism than what is used in the primary channel. This is commonly found in web and API applications when a secondary authentication mechanism (such as SMS or e-mail) is used for a backup to the primary authentication mechanism. This can create vulnerabilities if the secondary mechanism does not have the same level of security as the primary mechanism. (Reference: https://cwe.mitre.org/data/definitions/287.html, OWASP Testing Guide v4)

Risk

The risk of this vulnerability is that an attacker can bypass the primary authentication mechanism and use the weaker alternative channel to gain unauthorized access. This can result in the attacker being able to gain access to sensitive data or resources. A risk assessment should be undertaken to determine the severity of the vulnerability and the impact it could have on the system.

Solution

The solution to this vulnerability is to ensure that the alternative authentication channel is as secure as the primary channel. This can include implementing multi-factor authentication, using strong passwords, and ensuring that the secondary channel is as secure as the primary channel.

Example

In this example, the application uses SMS as an alternative authentication channel. The code below shows the authentication process:

if (primaryAuth() === true){
  user = getUser();
  return user;
} else {
  sendSMS();
  return user;
}

In this example, the application uses an SMS as a secondary authentication channel. If the primary authentication fails, the application will send an SMS to the user for verification. This could create a vulnerability as SMS is a weaker authentication mechanism and an attacker could exploit it to gain access to the system.