From Xero to Zero
Is Xero Vulnerable?
To test and check the security of Xero online accounting software I wanted to see if they were susceptible to MITM attacks.
I created a trial account, signed up and logged into Xero using standard 1FA (1 Factor Authentication –ie, password). I installed the Xero APP on my phone and Logged in being able to Skip MFA (Multiple Factor Authentication).
The Standard login and signup process on the website didn’t push me to set up MFA or require me to.
Once logged into the Xero website there were no prompts to set up MFA and I had to hunt through multiple menu options to find it. Once found; it uses google authenticator as an authentication method (which has had XSS vulnerabilities in the past).
So what is a Man in the middle attack? The attacker will keep themselves in-between a user device and a service skimming data as it passes through his systems to the internet. They can read packets and glean data such as usernames, passwords and account numbers.
After speaking with Xero directly the reason that MFA is not enforced on sign up is that a lot of their customers don’t have the ability to add the MFA through google authenticator.
I find this hard to comprehend! What’s more is that you need a smartphone to download the app, so it stands to reason that they should enforce MFA at least when a user logs into the app from a smartphone, this is not the case and you can skip all security steps easily.
Xero are also seeing multiple Phishing attempts:
Sept 21st, 2016 – Update on Xero Invoice phishing emails being sent from the @post-xero.com or the postxero.com domain. The full From address is email@example.com , rather than Xero’s legitimate firstname.lastname@example.org address.
All of the examples seen so far have ‘Invoice INV00249’ in the subject line. But this could change so don’t assume an email is legitimate if it doesn’t have this invoice number. The attackers are also using a variety of company names.
If one of these emails makes it as far as your inbox, you should report it as phishing and delete it without clicking on any links or attachments.
The worry of this is that if you don’t have MFA set up on Xero these phishing emails could work!
How many people and companies (these days) don’t have smart-phones? And how many companies and people have a Xero account that is not using MFA? These are both questions I would love to know the answer to!
SPECIALISTS IN CYBER SECURITY
Here at CYBER123 we believe that prevention and training is the best way to secure your digital world. If we can train you on what things to spot, how scams and cybercrime works then we believe you are less likely to become a victim. Our unique training offers scenarios and advice on what to spot how to protect yourself and how to deal with the scams and frauds that are about in the world today.
Understanding the resources that support critical functions and the related cyber security risks enable businesses to define resources and efforts in mitigating the risks
CALL US: +44 (0)20 3457 4683 EMAIL US: email@example.com