Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com) 79
"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security:
The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
Re: (Score:2)
You still enter your second factor in the scam website thus providing them with authorization.
However since every website with two factor has its own two factor they can only target selected sites at a given time.
Re: (Score:2)
How would you be prompted to enter the second code into the site? "Durp, you never set up 2 factor authentication, but go ahead and enter the SMS you get from Google into this form field on a non-Google site."? Or perhaps "Uh, open your authenticator application and enter the code for the entry attached to the email account you just gave us."? Or even "Use your dedicated hardware token for your bank."?
Re: Good thing I use none of those PARASITES (Score:2)
That actually seems like a good defense.
Daily Computer Science paper (Score:2, Offtopic)
2FA (Score:1, Offtopic)
Re: (Score:1)
Quoting that article, "Adding a layer of SMS-based verification to your login process is certainly better than relying on a password alone.", because "Those attacks (...) likely require the attacker to figure out the user's cell phone number in addition to the password that they've stolen, guessed, or reused after being compromised in a data breach from another hacked service."
At least scan things You quote for support of Your claims.
Re: (Score:1)
Re: (Score:2)
Re:So, don't do stupid shit. (Score:5, Insightful)
Don't click links in your email....manually go directly to your related site's home page
Unless it's a password reset email, then clicking the link is safer.
Re-typing the confirmation code in to the MITM website is the only way this type of attack can work when a password reset requires an email confirmation. Clicking the link takes the man out of the middle.
Re: (Score:3)
Why the FUCK is this modded insightful?
A link is a fucking link. You can type in any link into your browser manually. Of you can copy and paste the text of the link. Doing so makes NO difference. You end up at the same destination.
Clicking a link or manually navigating to some other page, then manually typing in a code is the same deal (actually a bit safer as the form data isn't exposed via the URL as in the link clicking/copying scenario). A MITM attack is useless if you're connected via SSL/TLS. (U
Re: (Score:2)
You're confused about the mod points because you don't understand.
This "MITM" isn't breaking SSL or TLS. They're relaying what you type in their websites signup form to the target websites password reset form.
If you type or copy/paste a verification code in the email you received from the target website that was triggered by the MITM, they have compromised your account.
If you click on the verification link in the email, they never receive the verification code, it gets submitted to the target site and becom
Re:People really are fucking stupid (Score:4, Funny)
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
You'd think that someone trying to sign up for AwesomePorno.com, who suddenly gets a text message from Google that says "The Gmail code you requested is 8926," when they didn't request any code from Gmail, might notice that something hinky is going on. But no, people are god damned idiots. No wonder we wound up with a failed reality show clown in the White House.
He's signing up for AwesomePorno.com despite the huge number of free no-signup-required porn sites out there, so he's already shown that he's not the sharpest tool in the shed.
CAPTCHA (Score:1)
Isn't this old news? I thought this was always the weakness with CAPTCHA codes: present the code to real users (e.g., for access to porn) and you get someone entering the code for you.
Re: (Score:3)
Isn't this old news? I thought this was always the weakness with CAPTCHA codes: present the code to real users (e.g., for access to porn) and you get someone entering the code for you.
This isn't so much about the weakness in Capcha's, which as you say is already know, but demonstrating yet another reason why "security questions" are bad for security.
There is a fallback if you've changed email (Score:3)
Often enough, people no longer have access to the email address they used when they signed up a long time ago. So while "a link in an email" is the default password reset, most popular sites offer other mechanisms as well.
Re: (Score:3)
I just tried it on slashdot. email is the only option
I tried facebook too, I tried all the options available and it eventually said
We're sorry you're having trouble recovering your email address. Unfortunately, this means we can't verify who you are or give you access to the Facebook account you're trying to log into. We may hide the information on your Facebook account if we detect that you cannot regain access to it.
I suppose paypal still has the option of security questions. Not sure who else does though. I've always put random keyboard mashings when I'm forced to provide security questions.
XKCD Did It (Score:1, Offtopic)
https://xkcd.com/792/ [xkcd.com]
Re: (Score:2)
Except Google doesn't actually suck at being evil.
an attack by another name (Score:1)
"security questions" bite us again (Score:5, Insightful)
This illustrates the weakness of "security questions". Providing additional information to third party sites is never a good idea; the site should function with least amount of data as possible. A bank doesn't need to know what their customers' best childhood friends' names, or favorite colors are. I've always treated these as secondary passwords, generating a random string for each.
Re: "security questions" bite us again (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
How do you intercept the e-mail? (Score:2)
I know there's this idea that anything not encrypted is super vulnerable but really, then about what you are saying: How to you mount such an attack? Suppose that someone requests an account reset from Amazon and it is going to their Gmail account. Where do you propose to intercept the message? You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers. These are some pretty hard targets. Other than that the o
Re: (Score:2)
Apart from spam, I would guess a lot of email is encrypted everywhere.
A lot of email providers send and receive mail over encrypted connections.
Fastmail.com:
Encrypted sending/receiving
Whenever you send a message to someone outside of FastMail we have to send it across the open internet. Since January 2010 we have fully encrypted all connections between us and the receiving server whenever the other server supports it, preventing passive eavesdropping, tampering or forgery. Similarly, we have accepted encrypted connections for mail delivery to our servers since April 2009, and we encourage all servers connecting to us to use it.
Re: (Score:2)
whenever the other server supports it
You'd be shocked how many still don't.
Re: (Score:2)
You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers.
Or the ISP on either end, or your target user's internal network, or...
Yes, I think I can grab that data in-transit, because I used to do just that for kicks as a teenager. The statute of limitations has long since lapsed, so I'm not afraid to mention it openly now. It's trivial to get most home routers to spit out all kinds of stuff, and most corporate networks are large enough and an employee could plant their own device without being noticed until someone went to clean up the rack it was stuffed into,
Re: (Score:2)
Well first off forgive me if I don't believe your "I'm such a l33t haxor" stories without a bit of proof. I have encountered more than a few people in my career who have supposedly done all kinds of nifty shit, yet have trouble doing even the most basic IA related tasks.
Second, things have gotten more secure than since the Internet started. Source routing is something blocked on almost all networks, switches have replaced hubs (and switches are hardened against things like ARP poisoning now), most systems a
Re: How do you intercept the e-mail? (Score:2)
Re: (Score:2)
Password resets don't send plain text passwords. They send a link that can be used to reset the password, a link with a short life generally.
That aside you think it is easy to pay off someone at Google to access e-mail? Try it. What you'd discover is that first most people are fairly moral, you may not be, but most are but second that places like Google have some pretty series security controls in place. A random employee can't just go and access someone's mail. I don't mean they aren't allowed to, I mean t
Re: (Score:2)
Password resets don't send plain text passwords.
Well, since I was replying to this:
Most real-world password reset mechanisms will send you the new password by email, and won't be vulnerable to this attack.
I think my point still stands. And yes, I actually have seen password resets that send an actual working password, and not just a link; fairly recently, at that.
Such a thing is monitored and requires authorization.
So, every filesystem or database read is monitored? No. Not even close.
You'd need to compromise more than one person
Unless that person is a DBA or sysadmin.
You seem to be applying 20 year old thinking to the modern IA landscape.
\ Right, and people pulling off successful social engineering attacks today are applying the very same thinking. It works just the same as it did in the 90's, which is exactly how it worked in the 70's. In
Re: (Score:2)
it's not that difficult to pay off someone on the gmail support staff to dump your account contents.
You don't even need to do that! You just need to have an annoying clippie-knockoff that is an ugly purple ape thing on your system, which tells jokes and spins balls around, or throws bananas across your screen. Then no matter the encryption, if it's decrypted for your eyes or viewable in any way, that "tophat search" toolbar or whatever will have no problem getting it.
And if you think a million people wouldn't willingly install such a thing.... https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
A site should never even store my plaintext password, let alone send it by unencrypted email.
Re: (Score:2)
How can it beat 2 factor auth? (Score:1)
Re: (Score:1)
Many eMail clients, especially the ones on mobile devices, have the tendency to display the name rather than the email adress in the 'from:' field of the header.
In your example:
From: Something.com <1234567890@google.com>
Subject: Login Verification
The email programs'/web interfaces' inbox would display as:
Something.com | Login Verification
No doubt, the majority of people wouldn't check to see if the name matches the URL. Most people have troubles telling emails from SMS or whatever messengers they hav
I don't really understand this (Score:2)
I don't really understand this all that well, but it sounds kinda ... well ...awkward
Are you folks absolutely sure that using the Internet for anything other than entertainment, research, and casual conversation is prudent?
Re: (Score:2)
Or not: You can always download that tool that allows you to write PHP by throwing cow-pats at the screen with your Wii-mote.
(There must be one: its the only way to explain the quality of most PHP code).
How is this new? Phishing to a site always works.. (Score:2)
...and always will work.
This works when creating an account, not just password resetting - it's just likely to be easier with password resetting because of the similarity of process between sites.
The only way to prevent this (under any protocol) is client identification against a list of known (not a priori) clients (e.g. published client certificates.)
If you want anonymity, then you're going to take the risk of being impersonated sadly...
Some websites ... (Score:2)
Avoid creating accounts (Score:1)
This is why I don't create accounts or "log in" to websites. There should rarely be a need to create an account unless you're buying something or its your email.
The more accounts you create the greater "attack surface" you create for yourself .
Why do I need an account? (Score:2)
Lately, I've been noticing a lot of sites requiring an account even for a one time purchase.
If I'm just buying a ticket to your location, and the odds are I'm never going to visit your site again, then WHY THE F**K DO I NEED TO CREATE AN ACCOUNT?