Account Registrations Enable 'Password Reset Man In The Middle' Attacks

"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security: The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.

Hmm, I can use this!

This could help me divorce my worthless husband, ShanghaiBill.

Re: Hmm, I can use this!

This could help me divorce my worthless husband, ShanghaiBill

LOL, nice try, but ShanghaiBill is my husband. And last time I checked Santa Clara doesn't allow polygamy, so his money is mine.

Re: Hmm, I can use this!

...and I'm divorcing him as soon as I can!

two-factor authentication

You mean SMS two-factor authentication, I have a yubikey.
My best friend is |nbY/1*3C[H{*r8
Next...

Re:two-factor authentication

Liar! I am |nbY/1*3C[H{*r8 and I don’t know anybody who has a yubikey.

Re:two-factor authentication

[peragrin]

You still enter your second factor in the scam website thus providing them with authorization.

However since every website with two factor has its own two factor they can only target selected sites at a given time.

Re:two-factor authentication

You still enter your second factor in the scam website thus providing them with authorization.

I can't speak for the previous anonymous coward, but that is not how I use my yubikey. I use the U2F protocol which produces a signed token that is bound to the website (specifically by hostname in the URL bar) that was requesting the second factor. To break that, you'd need to break DNS as well as TLS unless the legitimate site's login page is non-https.

Re:two-factor authentication

[sexconker]

How would you be prompted to enter the second code into the site? "Durp, you never set up 2 factor authentication, but go ahead and enter the SMS you get from Google into this form field on a non-Google site."? Or perhaps "Uh, open your authenticator application and enter the code for the entry attached to the email account you just gave us."? Or even "Use your dedicated hardware token for your bank."?

Good thing I use none of those PARASITES

I bathe in 91% alcohol and I drink 92%, nothing Trump nor Obama can throw at me will have any rational effect.

Re: Good thing I use none of those PARASITES

[KGIII]

That actually seems like a good defense.

Re: Good thing I use none of those PARASITES

Sounds like a functional acoholic to me ;)

Daily Computer Science paper

[phantomfive]

If you like this story, I recommend signing up for the daily computer science paper. I'm not affiliated, just like it. Lots of good stuff there.

Re: Daily Computer Science paper

If Creimer had posted that it would come with an affiliate link. xD

2FA

[phantomfive]

Two-factor authentication based on SMS texts can be less secure than just a password because the SMSes can be redirected by the attacker.

Re:2FA

Quoting that article, "Adding a layer of SMS-based verification to your login process is certainly better than relying on a password alone.", because "Those attacks (...) likely require the attacker to figure out the user's cell phone number in addition to the password that they've stolen, guessed, or reused after being compromised in a data breach from another hacked service."
At least scan things You quote for support of Your claims.

Re:2FA

[phantomfive]

I would disagree with you if you were a protoss, but since you're a zergling you're alright

So, don't do stupid shit.

Ramp up those Internet street smarts, and basic critical thinking skills.

Apply a sniff test for crying out loud. If something is too good to be true, it is. If the site is unclean in some way (weird URL, etc.), ditch it. Don't click links in your email....manually go directly to your related site's home page (and only if you already know it to be legit).

If you are a sucker, there are plenty of other ways you will get scammed. If you are not a sucker, you don't need to read about these kinds of attacks because you are already assuming that most of the Internet is trying this on you, and won't fall for them because your guard is always up.

But it is on YOU to smarten up and not be a sucker.

Re:So, don't do stupid shit.

[viperidaenz]

Don't click links in your email....manually go directly to your related site's home page

Unless it's a password reset email, then clicking the link is safer.
Re-typing the confirmation code in to the MITM website is the only way this type of attack can work when a password reset requires an email confirmation. Clicking the link takes the man out of the middle.

Re:So, don't do stupid shit.

Clicking the link takes the man out of the middle.

It can, if the landing page says, "click again to actually reset your account," so the user has a chance to not click after they realize they're resetting their Google account password, not their happyfunlog.com password. Some landing pages say "thanks, password reset," no further click required.

Re:So, don't do stupid shit.

[sexconker]

Why the FUCK is this modded insightful?

A link is a fucking link. You can type in any link into your browser manually. Of you can copy and paste the text of the link. Doing so makes NO difference. You end up at the same destination.

Clicking a link or manually navigating to some other page, then manually typing in a code is the same deal (actually a bit safer as the form data isn't exposed via the URL as in the link clicking/copying scenario). A MITM attack is useless if you're connected via SSL/TLS. (Unless you believe the MITM can break SSL/TLS, at which point you're fucked regardless.)

Re:So, don't do stupid shit.

[viperidaenz]

You're confused about the mod points because you don't understand.

This "MITM" isn't breaking SSL or TLS. They're relaying what you type in their websites signup form to the target websites password reset form.
If you type or copy/paste a verification code in the email you received from the target website that was triggered by the MITM, they have compromised your account.
If you click on the verification link in the email, they never receive the verification code, it gets submitted to the target site and becomes invalid. Your account is safe.

This vulnerability can be completely mitigated by not using security questions and not sending users verification codes, only sending them a verification link.

Re: So, don't do stupid shit.

+1 , I hate the stupid security questions... wtf I only have so many mother maiden name, best friends names , first pet, first car... if I actually answered these correctly everywhere they wouldn't be my private knowledge anymore

Re: So, don't do stupid shit.

The other problem is that the majority of identity theft victims know who did it, and those idiotic security questions are why because they are used by banks and other services.

First pet? My mother, father, neighbors, and all my friends know that.
Dad's first job? My mother, father, neighbors, and all my dad's friends and union boys know that.
Mother's maiden name? My mother, all her friends, my dad, and my entire family know that.
Street I grew up on? Mother, father, their relatives, their employers, all my friends, and school staff know that.
First car? Mother, father, all my friends, and everyone in my street knows that.
Favorite book? Family, friends, and people who read my blog know that.
First company? Employer, family, and friends know that.

Fixed security questions are a security risk, born of ignorance, incompetence, and laziness. If I am not allowed a custom security question, I will complain on a daily basis until they do as I tell them (I'm not asking them, I'm telling them to do as they are told), otherwise I will not use their service and I actively encourage others to do the same. It should be treated with the same scorn and shame as a plaintext password or an unmasked password field.

The security question should be something that would require a full encephalectomy and analysis of the individual nodes of the brain to find out.

People really are fucking stupid

Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.

You'd think that someone trying to sign up for AwesomePorno.com, who suddenly gets a text message from Google that says "The Gmail code you requested is 8926," when they didn't request any code from Gmail, might notice that something hinky is going on. But no, people are god damned idiots. No wonder we wound up with a failed reality show clown in the White House.

Re:People really are fucking stupid

[hawguy]

Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.

You'd think that someone trying to sign up for AwesomePorno.com, who suddenly gets a text message from Google that says "The Gmail code you requested is 8926," when they didn't request any code from Gmail, might notice that something hinky is going on. But no, people are god damned idiots. No wonder we wound up with a failed reality show clown in the White House.

He's signing up for AwesomePorno.com despite the huge number of free no-signup-required porn sites out there, so he's already shown that he's not the sharpest tool in the shed.

Re: People really are fucking stupid

despite the yuge number of free no-signup-required porn sites out there, cockfuckfefe

CAPTCHA

Isn't this old news? I thought this was always the weakness with CAPTCHA codes: present the code to real users (e.g., for access to porn) and you get someone entering the code for you.

Re:CAPTCHA

[hawguy]

Isn't this old news? I thought this was always the weakness with CAPTCHA codes: present the code to real users (e.g., for access to porn) and you get someone entering the code for you.

This isn't so much about the weakness in Capcha's, which as you say is already know, but demonstrating yet another reason why "security questions" are bad for security.

So... His does it work?

I enter my details to this website, they send them to another website password reset page, I sent sent a password reset email, I click the link in the email and get sent to the real website. I'm no longer at the attacking website.

This is after blindly clicking a link in an email with the subject of password reset from a website I'm not trying to access.

XKCD Did It

[Hands+of+Blue]

https://xkcd.com/792/

Re:XKCD Did It

[93+Escort+Wagon]

Except Google doesn't actually suck at being evil.

an attack by another name

[Moblaster]

This kind of hungry hustle of an attack vector really deserves to be called more than a man-in-the-middle attack. More a man-on-the-outside-looking-in.

"security questions" bite us again

This illustrates the weakness of "security questions". Providing additional information to third party sites is never a good idea; the site should function with least amount of data as possible. A bank doesn't need to know what their customers' best childhood friends' names, or favorite colors are. I've always treated these as secondary passwords, generating a random string for each.

Re: "security questions" bite us again

[peppepz]

Most real-world password reset mechanisms will send you the new password by email, and won't be vulnerable to this attack.

Re: "security questions" bite us again

[BronsCon]

Instead, they'll be vulnerable to interception of the plaintext email in-transit, and also available to anyone who accesses your email account.

Re: "security questions" bite us again

Ok, then I will direct message the password reset link to your twitter/facebook/google account.

Re: "security questions" bite us again

A site should never even store my plaintext password, let alone send it by unencrypted email.

Re:"security questions" bite us again

Yes, and then the one time that you need to urgently contact them by phone, they ask for your mother's maiden name and you have to remember that it's HEhTOD9XGf-,vEZxMUZz;0d2 and spell it out to them.

Re: "security questions" bite us again

[peppepz]

They will do none of the two. Typically, they will send to you by email a single-use and time-limited token. You are supposed to connect to the website via https, enter the token, and usually you will be asked a security question as a proof of your identity. After that, you'll be able to set a new password to replace the forgotten one. No unencrypted password will ever travel by email.

Re: "security questions" bite us again

[BronsCon]

That's a start. Hell, even email the password reset link is fine. Just not the password itself. The same applies to Twitter, Facebook, and Google messaging as well; if you send the password, anyone who accesses those accounts has the password.

Re:"security questions" bite us again

Stupid cow at the call center: "Okay capital H capital E... *types in c-a-p-i-t-a-l-h-c-a-p-i-t-a-l-e-s-m-a-l-l-h at the speed of one letter every three seconds*"

Doesn't affect me

I use a different address for every site I register with.

Re: Doesn't affect me

Donald?

Re: Doesn't affect me

Jacob?

How can it beat 2 factor auth?

[fennec]

If I'm registering on somthing.com and get 2 factor request on google.com I won't approve it.

Re:How can it beat 2 factor auth?

"If I'm registering on somthing.com and get 2 factor request on google.com I won't approve it."

You're a nerd posting on Slashdot.

Other people just see an email that contains fully correct information and must therefore be a valid request from Google. From something.com, who apparently work together with Google, like many other companies. Or even from Google, reply-to something.com.

Re:How can it beat 2 factor auth?

Many eMail clients, especially the ones on mobile devices, have the tendency to display the name rather than the email adress in the 'from:' field of the header.
In your example:
From: Something.com <1234567890@google.com>
Subject: Login Verification
The email programs'/web interfaces' inbox would display as:
Something.com | Login Verification

No doubt, the majority of people wouldn't check to see if the name matches the URL. Most people have troubles telling emails from SMS or whatever messengers they have installed

There is a fallback if you've changed email

[raymorris]

Often enough, people no longer have access to the email address they used when they signed up a long time ago. So while "a link in an email" is the default password reset, most popular sites offer other mechanisms as well.

Re:There is a fallback if you've changed email

[viperidaenz]

I just tried it on slashdot. email is the only option
I tried facebook too, I tried all the options available and it eventually said

We're sorry you're having trouble recovering your email address. Unfortunately, this means we can't verify who you are or give you access to the Facebook account you're trying to log into. We may hide the information on your Facebook account if we detect that you cannot regain access to it.

I suppose paypal still has the option of security questions. Not sure who else does though. I've always put random keyboard mashings when I'm forced to provide security questions.

Everyone in this room is now dumber....

...for having read this. I award you no points, and may God have mercy on your soul.

But seriously - This is like saying that to steal your car, all I have to do is break into your house, wait for you to come home, bop you over the head, then take the keys to your car from your purse. OMG!!! We have found a new car vulnerability - let's panic! How many more of these inane stories do we have to read about InfoSec "researchers" getting erections from more-and-more incredibly convoluted "attacks".

If information wants to be stolen, there's way more simpler and easier ways to do it. Enough with this nonsense, please.

Re: Everyone in this room is now dumber....

This type of complicated attack was probably used by some spy agency. It's good that this is being fixed though.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I don't really understand this

[vtcodger]

I don't really understand this all that well, but it sounds kinda ... well ...awkward

Are you folks absolutely sure that using the Internet for anything other than entertainment, research, and casual conversation is prudent?

Constant reminder to armchair security gurus

More complicated does not mean more secure. Often, the opposite is the case. You are not a security expert. Your two cents is not worth even that.

It may take some skill to write a program, but any damn fool can run one.

Re:Constant reminder to armchair security gurus

[Anne+Thwacks]

It may take some skill to write a program,

Or not: You can always download that tool that allows you to write PHP by throwing cow-pats at the screen with your Wii-mote.

(There must be one: its the only way to explain the quality of most PHP code).

Re: Constant reminder to armchair security gurus

Stop blaming the tools and blame the people who use those tools.

There is good quality php code out there.

How do you intercept the e-mail?

[Sycraft-fu]

I know there's this idea that anything not encrypted is super vulnerable but really, then about what you are saying: How to you mount such an attack? Suppose that someone requests an account reset from Amazon and it is going to their Gmail account. Where do you propose to intercept the message? You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers. These are some pretty hard targets. Other than that the only thing you could target is the lines themselves. Of course it is a bit difficult to physically tap fiber, in a conduit, and is a bit conspicuous.

It is far less feasible to intercept plain text traffic than many geeks make it out to be. It is not impossible, a state actor can do it, or the ISPs themselves of course. But for J. Random Hacker? Pretty close to impossible. Particularly if you are talking e-mail which these days is normally only plain text between providers, and is sent encrypted to the end user. Getting to tap that traffic would be very difficult, and I'd argue someone that did would ahve higher value targets than a password reset e-mail.

Re:How do you intercept the e-mail?

You don't. If you read the article, it only works with security questions and if the user does not pay attention to the sender of password reset email at all.

Re:How do you intercept the e-mail?

[viperidaenz]

Apart from spam, I would guess a lot of email is encrypted everywhere.
A lot of email providers send and receive mail over encrypted connections.
Fastmail.com:

Encrypted sending/receiving
Whenever you send a message to someone outside of FastMail we have to send it across the open internet. Since January 2010 we have fully encrypted all connections between us and the receiving server whenever the other server supports it, preventing passive eavesdropping, tampering or forgery. Similarly, we have accepted encrypted connections for mail delivery to our servers since April 2009, and we encourage all servers connecting to us to use it.

Re:How do you intercept the e-mail?

[BronsCon]

You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers.

Or the ISP on either end, or your target user's internal network, or...

Yes, I think I can grab that data in-transit, because I used to do just that for kicks as a teenager. The statute of limitations has long since lapsed, so I'm not afraid to mention it openly now. It's trivial to get most home routers to spit out all kinds of stuff, and most corporate networks are large enough and an employee could plant their own device without being noticed until someone went to clean up the rack it was stuffed into, by which point they'll have already gotten what they were after and moved on.

It's so far from impossible, I wouldn't even call it difficult. A mild challenge, at best.

Re:How do you intercept the e-mail?

[BronsCon]

whenever the other server supports it

You'd be shocked how many still don't.

Re:How do you intercept the e-mail?

[Sycraft-fu]

Well first off forgive me if I don't believe your "I'm such a l33t haxor" stories without a bit of proof. I have encountered more than a few people in my career who have supposedly done all kinds of nifty shit, yet have trouble doing even the most basic IA related tasks.

Second, things have gotten more secure than since the Internet started. Source routing is something blocked on almost all networks, switches have replaced hubs (and switches are hardened against things like ARP poisoning now), most systems and networks have stateful firewalls sitting on them, and so on. What worked in 1995 is not very likely to work today.

However the biggest of all is as I noted in my first post: E-mail is generally encrypted between provider and person today. The biggest e-mail platforms, Gmail, Office 365, etc do encryption to the endpoint. When you check Gmail, be it via web browser or your phone, Google encrypts the session with TLS and your browser/app decrypts it. That means any data theft on the target's network or the ISP is out, it is encrypted.

So you are then left with the e-mail host, the company sending the mail, and maybe the transit providers supposing those companies don't encrypt e-mail between them (which they often do). If you really think you can hit Google, well then let's hear how that would go. Lay out the theoretical framework for how you'd get in to their systems to be able to monitor data in transit.

So no, sorry, this isn't an easy task to accomplish. You'd be far more likely to succeed in attacking the target's computer (as ever) in which case crypto doesn't matter since it is decrypted on their system. Of course neither would a reset e-mail since you could just capture the passwords directly.

Re: How do you intercept the e-mail?

[BronsCon]

Yet you ignored the second vulnerability I mentioned in the post you initially replied to. If you've got plaintext passwords sitting in your email, you've got problems that have nothing at all to do with whether or not I can intercept your traffic. While it may (or may not) be difficult to hack Google's servers, it's not that difficult to pay off someone on the gmail support staff to dump your account contents.

Re: How do you intercept the e-mail?

[Sycraft-fu]

Password resets don't send plain text passwords. They send a link that can be used to reset the password, a link with a short life generally.

That aside you think it is easy to pay off someone at Google to access e-mail? Try it. What you'd discover is that first most people are fairly moral, you may not be, but most are but second that places like Google have some pretty series security controls in place. A random employee can't just go and access someone's mail. I don't mean they aren't allowed to, I mean there are controls in place to keep them from doing so. Such a thing is monitored and requires authorization. You'd need to compromise more than one person, and that's pretty hard, certainly more than a "mild challenge". Particularly given that your target it a password reset for some random person's account.

You seem to be applying 20 year old thinking to the modern IA landscape. Yes, back in the 90s it might have been easier to compromise someone at the local ISP that had all of 10 people working at it and no security controls at all to get in to the mail server. Well part of the changing world and the "cloud" nature of modern services is that's not your target anymore. By and large mail is hosted by big providers, who have some of the best blue and red teams in the business working for them. They are hard targets.

While e-mailed password reset links are not the best way of doing security, they are plenty good enough for the value of what they are protecting. The resources required to compromise such a thing are way in excess of the value you'd gain. So people aren't going to try.

Re: How do you intercept the e-mail?

[barbariccow]

it's not that difficult to pay off someone on the gmail support staff to dump your account contents.

You don't even need to do that! You just need to have an annoying clippie-knockoff that is an ugly purple ape thing on your system, which tells jokes and spins balls around, or throws bananas across your screen. Then no matter the encryption, if it's decrypted for your eyes or viewable in any way, that "tophat search" toolbar or whatever will have no problem getting it.

And if you think a million people wouldn't willingly install such a thing.... https://en.wikipedia.org/wiki/...

Re: How do you intercept the e-mail?

[BronsCon]

Password resets don't send plain text passwords.

Well, since I was replying to this:

Most real-world password reset mechanisms will send you the new password by email, and won't be vulnerable to this attack.

I think my point still stands. And yes, I actually have seen password resets that send an actual working password, and not just a link; fairly recently, at that.

Such a thing is monitored and requires authorization.

So, every filesystem or database read is monitored? No. Not even close.

You'd need to compromise more than one person

Unless that person is a DBA or sysadmin.

You seem to be applying 20 year old thinking to the modern IA landscape.

\ Right, and people pulling off successful social engineering attacks today are applying the very same thinking. It works just the same as it did in the 90's, which is exactly how it worked in the 70's. In fact, it's worked for as long as confidential written records have existed and will continue working well beyond our individual mortal existences.

Of course, I should have known you weren't keen on paying attention and putting two and two together when you couldn't piece together why I was talking about sending passwords via email in the first place. You seem to be just the kind if inattentive ninny who gets used in social engineering attacks in the first place, based solely on our interaction here. Perhaps I'm wrong, and I surely hope so given that you appear to at least attempt to take on a security role somewhere. I sincerely hope you pay closer attention to details at work, if that's the case.

"beat two-factor authentication"?!

"Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site" - This is completely false.

When you perform two-factor authentication and get an SMS with a code from somewhere, you know where it came from.
If I'll try to register to maliciouswebsite.com, provide my phone number for authentication, and get an SMS with a code from Gmail, I'll know something is super fishy.

How is this new? Phishing to a site always works..

[Assmasher]

...and always will work.

This works when creating an account, not just password resetting - it's just likely to be easier with password resetting because of the similarity of process between sites.

The only way to prevent this (under any protocol) is client identification against a list of known (not a priori) clients (e.g. published client certificates.)

If you want anonymity, then you're going to take the risk of being impersonated sadly...

U2F stops phishing

Sending 2FA to a phone is MITM-able with this technique. People won't pay attention to whom sent them the code.

U2F tokens aren't phishable with this technique. Their willingness to attest is bound to an origin, so as long as you stick them into a friendly browser, you're safe.

There's no UI on the token itself, so it's not safe with an unfriendly browser, like a doorknob: if you used a U2F token to unlock your door, it might take over your GMail account instead.

Some websites ...

[PPH]

... e-mail you a new temporary password upon receiving the reset request. To an e-mail address already on file. Even if the MITM attack initiated the reset, they wouldn't be able to see the subsequent e-mail exchange with the new password, link to acknowledge receipt, etc. unless they had also hacked your e-mail. Well written password maintenance pages will ignore the insertion of an alternate e-mail address. Lose your old e-mail account and you have to answer a bunch of security questions. Or you are SOL with that account.

Avoid creating accounts

This is why I don't create accounts or "log in" to websites. There should rarely be a need to create an account unless you're buying something or its your email.
The more accounts you create the greater "attack surface" you create for yourself .

Why do I need an account?

[sconeu]

Lately, I've been noticing a lot of sites requiring an account even for a one time purchase.

If I'm just buying a ticket to your location, and the odds are I'm never going to visit your site again, then WHY THE F**K DO I NEED TO CREATE AN ACCOUNT?

I don't see how this would work.

At least on a security conscious person. Y'see, I haven't (for years,) used the same password on more than one site, NOR the same security challenge and answer questions and responses, which in fact are nonsense. My passwords I use a manager for, because I'd have no hope of remembering "f9cn1j(*3121jdsfd" or whatever, and in response to "What is your favorite food," I'll put something like "SmUldring tier fier wit skungz."

No one's going to guess THAT. Even if you captured ONE somehow, while I'm trying to log IN to an actual site, it would only give you that ONE.

So I'm not too worried about this.

Around for awhile

This attack has been around for quite awhile in the form of "using your free mp3 download website to hack other captchas", but was mainly used to create numerous spam accounts.

It won't actually work for most sites

When you request a password reset for most sites the site sends an email with a link to create a new password as opposed to sending a temporary password. The original site where the request was submitted from never provides a direct login box for using the new password.