Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com)

Posted by EditorDavid on Saturday June 24, 2017 @04:06PM from the three-factor-authentication dept.

"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security: The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.

40 of 79 comments (clear)

Min score:

Reason:

Sort:

Daily Computer Science paper by phantomfive · 2017-06-24 16:16 · Score: 1, Offtopic

If you like this story, I recommend signing up for the daily computer science paper. I'm not affiliated, just like it. Lots of good stuff there.

--
"First they came for the slanderers and i said nothing."
CAPTCHA by Anonymous Coward · 2017-06-24 16:32 · Score: 1

Isn't this old news? I thought this was always the weakness with CAPTCHA codes: present the code to real users (e.g., for access to porn) and you get someone entering the code for you.
1. Re:CAPTCHA by hawguy · 2017-06-24 18:33 · Score: 2
  
  Isn't this old news? I thought this was always the weakness with CAPTCHA codes: present the code to real users (e.g., for access to porn) and you get someone entering the code for you.
  This isn't so much about the weakness in Capcha's, which as you say is already know, but demonstrating yet another reason why "security questions" are bad for security.
XKCD Did It by Hands+of+Blue · 2017-06-24 16:36 · Score: 1, Offtopic

https://xkcd.com/792/
1. Re:XKCD Did It by 93+Escort+Wagon · 2017-06-24 17:34 · Score: 1
  
  Except Google doesn't actually suck at being evil.
  
  --
  #DeleteChrome
"security questions" bite us again by Anonymous Coward · 2017-06-24 16:59 · Score: 5, Insightful

This illustrates the weakness of "security questions". Providing additional information to third party sites is never a good idea; the site should function with least amount of data as possible. A bank doesn't need to know what their customers' best childhood friends' names, or favorite colors are. I've always treated these as secondary passwords, generating a random string for each.
1. Re: "security questions" bite us again by peppepz · 2017-06-24 17:03 · Score: 1, Informative
  
  Most real-world password reset mechanisms will send you the new password by email, and won't be vulnerable to this attack.
2. Re: "security questions" bite us again by BronsCon · 2017-06-24 17:13 · Score: 1
  
  Instead, they'll be vulnerable to interception of the plaintext email in-transit, and also available to anyone who accesses your email account.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
3. Re: "security questions" bite us again by Anonymous Coward · 2017-06-24 18:44 · Score: 1
  
  A site should never even store my plaintext password, let alone send it by unencrypted email.
4. Re: "security questions" bite us again by peppepz · 2017-06-25 01:52 · Score: 1
  
  They will do none of the two. Typically, they will send to you by email a single-use and time-limited token. You are supposed to connect to the website via https, enter the token, and usually you will be asked a security question as a proof of your identity. After that, you'll be able to set a new password to replace the forgotten one. No unencrypted password will ever travel by email.
5. Re: "security questions" bite us again by BronsCon · 2017-06-25 05:32 · Score: 1
  
  That's a start. Hell, even email the password reset link is fine. Just not the password itself. The same applies to Twitter, Facebook, and Google messaging as well; if you send the password, anyone who accesses those accounts has the password.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
How can it beat 2 factor auth? by fennec · 2017-06-24 17:34 · Score: 1

If I'm registering on somthing.com and get 2 factor request on google.com I won't approve it.
1. Re:How can it beat 2 factor auth? by Anonymous Coward · 2017-06-24 19:35 · Score: 1
  
  Many eMail clients, especially the ones on mobile devices, have the tendency to display the name rather than the email adress in the 'from:' field of the header.
  In your example:
  From: Something.com <1234567890@google.com>
  Subject: Login Verification
  The email programs'/web interfaces' inbox would display as:
  Something.com | Login Verification
  No doubt, the majority of people wouldn't check to see if the name matches the URL. Most people have troubles telling emails from SMS or whatever messengers they have installed
Re:2FA by Anonymous Coward · 2017-06-24 17:38 · Score: 1

Quoting that article, "Adding a layer of SMS-based verification to your login process is certainly better than relying on a password alone.", because "Those attacks (...) likely require the attacker to figure out the user's cell phone number in addition to the password that they've stolen, guessed, or reused after being compromised in a data breach from another hacked service."
At least scan things You quote for support of Your claims.
There is a fallback if you've changed email by raymorris · 2017-06-24 17:41 · Score: 2

Often enough, people no longer have access to the email address they used when they signed up a long time ago. So while "a link in an email" is the default password reset, most popular sites offer other mechanisms as well.
1. Re:There is a fallback if you've changed email by viperidaenz · 2017-06-24 19:20 · Score: 2
  
  I just tried it on slashdot. email is the only option
  I tried facebook too, I tried all the options available and it eventually said
  
  We're sorry you're having trouble recovering your email address. Unfortunately, this means we can't verify who you are or give you access to the Facebook account you're trying to log into. We may hide the information on your Facebook account if we detect that you cannot regain access to it.
  I suppose paypal still has the option of security questions. Not sure who else does though. I've always put random keyboard mashings when I'm forced to provide security questions.
Comment removed by account_deleted · 2017-06-24 18:19 · Score: 1

Comment removed based on user account deletion
Re: Good thing I use none of those PARASITES by KGIII · 2017-06-24 18:31 · Score: 1

That actually seems like a good defense.

--
"So long and thanks for all the fish."
Re:People really are fucking stupid by hawguy · 2017-06-24 18:32 · Score: 3, Funny

Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
You'd think that someone trying to sign up for AwesomePorno.com, who suddenly gets a text message from Google that says "The Gmail code you requested is 8926," when they didn't request any code from Gmail, might notice that something hinky is going on. But no, people are god damned idiots. No wonder we wound up with a failed reality show clown in the White House.
He's signing up for AwesomePorno.com despite the huge number of free no-signup-required porn sites out there, so he's already shown that he's not the sharpest tool in the shed.
I don't really understand this by vtcodger · 2017-06-24 18:32 · Score: 1

I don't really understand this all that well, but it sounds kinda ... well ...awkward
Are you folks absolutely sure that using the Internet for anything other than entertainment, research, and casual conversation is prudent?

--
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
Re:2FA by phantomfive · 2017-06-24 18:47 · Score: 1

I would disagree with you if you were a protoss, but since you're a zergling you're alright

--
"First they came for the slanderers and i said nothing."
How do you intercept the e-mail? by Sycraft-fu · 2017-06-24 19:00 · Score: 1

I know there's this idea that anything not encrypted is super vulnerable but really, then about what you are saying: How to you mount such an attack? Suppose that someone requests an account reset from Amazon and it is going to their Gmail account. Where do you propose to intercept the message? You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers. These are some pretty hard targets. Other than that the only thing you could target is the lines themselves. Of course it is a bit difficult to physically tap fiber, in a conduit, and is a bit conspicuous.
It is far less feasible to intercept plain text traffic than many geeks make it out to be. It is not impossible, a state actor can do it, or the ISPs themselves of course. But for J. Random Hacker? Pretty close to impossible. Particularly if you are talking e-mail which these days is normally only plain text between providers, and is sent encrypted to the end user. Getting to tap that traffic would be very difficult, and I'd argue someone that did would ahve higher value targets than a password reset e-mail.
1. Re:How do you intercept the e-mail? by viperidaenz · 2017-06-24 19:30 · Score: 1
  
  Apart from spam, I would guess a lot of email is encrypted everywhere.
  A lot of email providers send and receive mail over encrypted connections.
  Fastmail.com:
  
  Encrypted sending/receiving
  Whenever you send a message to someone outside of FastMail we have to send it across the open internet. Since January 2010 we have fully encrypted all connections between us and the receiving server whenever the other server supports it, preventing passive eavesdropping, tampering or forgery. Similarly, we have accepted encrypted connections for mail delivery to our servers since April 2009, and we encourage all servers connecting to us to use it.
2. Re:How do you intercept the e-mail? by BronsCon · 2017-06-25 05:27 · Score: 1
  
  You think you can realistically hack in to the servers or network at either company? If not there you'd have to get in to one of the tier-1 transit providers.
  Or the ISP on either end, or your target user's internal network, or...
  
  Yes, I think I can grab that data in-transit, because I used to do just that for kicks as a teenager. The statute of limitations has long since lapsed, so I'm not afraid to mention it openly now. It's trivial to get most home routers to spit out all kinds of stuff, and most corporate networks are large enough and an employee could plant their own device without being noticed until someone went to clean up the rack it was stuffed into, by which point they'll have already gotten what they were after and moved on.
  
  It's so far from impossible, I wouldn't even call it difficult. A mild challenge, at best.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
3. Re:How do you intercept the e-mail? by BronsCon · 2017-06-25 05:29 · Score: 1
  
  whenever the other server supports it
  You'd be shocked how many still don't.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
4. Re:How do you intercept the e-mail? by Sycraft-fu · 2017-06-25 09:28 · Score: 1
  
  Well first off forgive me if I don't believe your "I'm such a l33t haxor" stories without a bit of proof. I have encountered more than a few people in my career who have supposedly done all kinds of nifty shit, yet have trouble doing even the most basic IA related tasks.
  Second, things have gotten more secure than since the Internet started. Source routing is something blocked on almost all networks, switches have replaced hubs (and switches are hardened against things like ARP poisoning now), most systems and networks have stateful firewalls sitting on them, and so on. What worked in 1995 is not very likely to work today.
  However the biggest of all is as I noted in my first post: E-mail is generally encrypted between provider and person today. The biggest e-mail platforms, Gmail, Office 365, etc do encryption to the endpoint. When you check Gmail, be it via web browser or your phone, Google encrypts the session with TLS and your browser/app decrypts it. That means any data theft on the target's network or the ISP is out, it is encrypted.
  So you are then left with the e-mail host, the company sending the mail, and maybe the transit providers supposing those companies don't encrypt e-mail between them (which they often do). If you really think you can hit Google, well then let's hear how that would go. Lay out the theoretical framework for how you'd get in to their systems to be able to monitor data in transit.
  So no, sorry, this isn't an easy task to accomplish. You'd be far more likely to succeed in attacking the target's computer (as ever) in which case crypto doesn't matter since it is decrypted on their system. Of course neither would a reset e-mail since you could just capture the passwords directly.
5. Re: How do you intercept the e-mail? by BronsCon · 2017-06-25 10:06 · Score: 1
  
  Yet you ignored the second vulnerability I mentioned in the post you initially replied to. If you've got plaintext passwords sitting in your email, you've got problems that have nothing at all to do with whether or not I can intercept your traffic. While it may (or may not) be difficult to hack Google's servers, it's not that difficult to pay off someone on the gmail support staff to dump your account contents.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
6. Re: How do you intercept the e-mail? by Sycraft-fu · 2017-06-25 10:37 · Score: 1
  
  Password resets don't send plain text passwords. They send a link that can be used to reset the password, a link with a short life generally.
  That aside you think it is easy to pay off someone at Google to access e-mail? Try it. What you'd discover is that first most people are fairly moral, you may not be, but most are but second that places like Google have some pretty series security controls in place. A random employee can't just go and access someone's mail. I don't mean they aren't allowed to, I mean there are controls in place to keep them from doing so. Such a thing is monitored and requires authorization. You'd need to compromise more than one person, and that's pretty hard, certainly more than a "mild challenge". Particularly given that your target it a password reset for some random person's account.
  You seem to be applying 20 year old thinking to the modern IA landscape. Yes, back in the 90s it might have been easier to compromise someone at the local ISP that had all of 10 people working at it and no security controls at all to get in to the mail server. Well part of the changing world and the "cloud" nature of modern services is that's not your target anymore. By and large mail is hosted by big providers, who have some of the best blue and red teams in the business working for them. They are hard targets.
  While e-mailed password reset links are not the best way of doing security, they are plenty good enough for the value of what they are protecting. The resources required to compromise such a thing are way in excess of the value you'd gain. So people aren't going to try.
7. Re: How do you intercept the e-mail? by barbariccow · 2017-06-25 12:27 · Score: 1
  
  it's not that difficult to pay off someone on the gmail support staff to dump your account contents.
  You don't even need to do that! You just need to have an annoying clippie-knockoff that is an ugly purple ape thing on your system, which tells jokes and spins balls around, or throws bananas across your screen. Then no matter the encryption, if it's decrypted for your eyes or viewable in any way, that "tophat search" toolbar or whatever will have no problem getting it.
  And if you think a million people wouldn't willingly install such a thing.... https://en.wikipedia.org/wiki/...
8. Re: How do you intercept the e-mail? by BronsCon · 2017-06-25 13:02 · Score: 1
  
  Password resets don't send plain text passwords.
  Well, since I was replying to this:
  
  Most real-world password reset mechanisms will send you the new password by email, and won't be vulnerable to this attack.
  I think my point still stands. And yes, I actually have seen password resets that send an actual working password, and not just a link; fairly recently, at that.
  
  Such a thing is monitored and requires authorization.
  So, every filesystem or database read is monitored? No. Not even close.
  
  You'd need to compromise more than one person
  Unless that person is a DBA or sysadmin.
  
  You seem to be applying 20 year old thinking to the modern IA landscape.
  \ Right, and people pulling off successful social engineering attacks today are applying the very same thinking. It works just the same as it did in the 90's, which is exactly how it worked in the 70's. In fact, it's worked for as long as confidential written records have existed and will continue working well beyond our individual mortal existences.
  
  Of course, I should have known you weren't keen on paying attention and putting two and two together when you couldn't piece together why I was talking about sending passwords via email in the first place. You seem to be just the kind if inattentive ninny who gets used in social engineering attacks in the first place, based solely on our interaction here. Perhaps I'm wrong, and I surely hope so given that you appear to at least attempt to take on a security role somewhere. I sincerely hope you pay closer attention to details at work, if that's the case.
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Re:So, don't do stupid shit. by viperidaenz · 2017-06-24 19:23 · Score: 4, Insightful

Don't click links in your email....manually go directly to your related site's home page
Unless it's a password reset email, then clicking the link is safer.
Re-typing the confirmation code in to the MITM website is the only way this type of attack can work when a password reset requires an email confirmation. Clicking the link takes the man out of the middle.
Re:Constant reminder to armchair security gurus by Anne+Thwacks · 2017-06-24 21:51 · Score: 1

It may take some skill to write a program,
Or not: You can always download that tool that allows you to write PHP by throwing cow-pats at the screen with your Wii-mote.
(There must be one: its the only way to explain the quality of most PHP code).

--
Sent from my ASR33 using ASCII
Re:two-factor authentication by peragrin · 2017-06-24 23:19 · Score: 1

You still enter your second factor in the scam website thus providing them with authorization.
However since every website with two factor has its own two factor they can only target selected sites at a given time.

--
i thought once I was found, but it was only a dream.
How is this new? Phishing to a site always works.. by Assmasher · 2017-06-25 00:40 · Score: 1

...and always will work.
This works when creating an account, not just password resetting - it's just likely to be easier with password resetting because of the similarity of process between sites.
The only way to prevent this (under any protocol) is client identification against a list of known (not a priori) clients (e.g. published client certificates.)
If you want anonymity, then you're going to take the risk of being impersonated sadly...

--
Loading...
Some websites ... by PPH · 2017-06-25 04:32 · Score: 1

... e-mail you a new temporary password upon receiving the reset request. To an e-mail address already on file. Even if the MITM attack initiated the reset, they wouldn't be able to see the subsequent e-mail exchange with the new password, link to acknowledge receipt, etc. unless they had also hacked your e-mail. Well written password maintenance pages will ignore the insertion of an alternate e-mail address. Lose your old e-mail account and you have to answer a bunch of security questions. Or you are SOL with that account.

--
Have gnu, will travel.
Avoid creating accounts by Anonymous Coward · 2017-06-25 05:01 · Score: 1

This is why I don't create accounts or "log in" to websites. There should rarely be a need to create an account unless you're buying something or its your email.
The more accounts you create the greater "attack surface" you create for yourself .
Re:two-factor authentication by sexconker · 2017-06-25 05:29 · Score: 1

How would you be prompted to enter the second code into the site? "Durp, you never set up 2 factor authentication, but go ahead and enter the SMS you get from Google into this form field on a non-Google site."? Or perhaps "Uh, open your authenticator application and enter the code for the entry attached to the email account you just gave us."? Or even "Use your dedicated hardware token for your bank."?
Re:So, don't do stupid shit. by sexconker · 2017-06-25 05:34 · Score: 2

Why the FUCK is this modded insightful?
A link is a fucking link. You can type in any link into your browser manually. Of you can copy and paste the text of the link. Doing so makes NO difference. You end up at the same destination.
Clicking a link or manually navigating to some other page, then manually typing in a code is the same deal (actually a bit safer as the form data isn't exposed via the URL as in the link clicking/copying scenario). A MITM attack is useless if you're connected via SSL/TLS. (Unless you believe the MITM can break SSL/TLS, at which point you're fucked regardless.)
Re:So, don't do stupid shit. by viperidaenz · 2017-06-25 09:09 · Score: 1

You're confused about the mod points because you don't understand.
This "MITM" isn't breaking SSL or TLS. They're relaying what you type in their websites signup form to the target websites password reset form.
If you type or copy/paste a verification code in the email you received from the target website that was triggered by the MITM, they have compromised your account.
If you click on the verification link in the email, they never receive the verification code, it gets submitted to the target site and becomes invalid. Your account is safe.
This vulnerability can be completely mitigated by not using security questions and not sending users verification codes, only sending them a verification link.
Why do I need an account? by sconeu · 2017-06-25 14:42 · Score: 1

Lately, I've been noticing a lot of sites requiring an account even for a one time purchase.
If I'm just buying a ticket to your location, and the odds are I'm never going to visit your site again, then WHY THE F**K DO I NEED TO CREATE AN ACCOUNT?

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.