Most of the topics and hacks in this book have been well covered previously by lots of different sources, and the attacks they explore have been performed in the public domain for many years. This chapter is different. It examines a topic that is not well discussed and includes demo attacks that, as far as I know, have never been performed publicly. It does not make what this chapter covers, component abuse and subject hijacking, any the less concerning for people interested in authentication security.

Introduction

In Chapter 5, “Hacking MFA in General,” we looked at more than 20 different authentication components, all of which can be attacked and exploited to compromise or get around multifactor authentication. It's a large, complex system of reliance that is rarely all controlled by a single entity. But even when a single entity controls all the factors, making sure they don't get abused to allow a hacker to get around authentication is a challenge.

In this chapter, we'll cover a specific type of authentication component abuse in order to illustrate the power of the namespace dependencies. I'll show that simply changing one field of unprotected information can drastically change and invalidate authentication in unexpected ways. This chapter will just focus on one scenario in one particular type of environment, but the larger lesson can be applied to all forms of MFA in all sorts of environments.

The key takeaway of this chapter is to understand ...