Slashdot Mirror
Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com)
"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security:
The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
If you like this story, I recommend signing up for the daily computer science paper. I'm not affiliated, just like it. Lots of good stuff there.
"First they came for the slanderers and i said nothing."
Two-factor authentication based on SMS texts can be less secure than just a password because the SMSes can be redirected by the attacker.
"First they came for the slanderers and i said nothing."
https://xkcd.com/792/