Slashdot Mirror
Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com)
"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security:
The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
This illustrates the weakness of "security questions". Providing additional information to third party sites is never a good idea; the site should function with least amount of data as possible. A bank doesn't need to know what their customers' best childhood friends' names, or favorite colors are. I've always treated these as secondary passwords, generating a random string for each.
Often enough, people no longer have access to the email address they used when they signed up a long time ago. So while "a link in an email" is the default password reset, most popular sites offer other mechanisms as well.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.
You'd think that someone trying to sign up for AwesomePorno.com, who suddenly gets a text message from Google that says "The Gmail code you requested is 8926," when they didn't request any code from Gmail, might notice that something hinky is going on. But no, people are god damned idiots. No wonder we wound up with a failed reality show clown in the White House.
He's signing up for AwesomePorno.com despite the huge number of free no-signup-required porn sites out there, so he's already shown that he's not the sharpest tool in the shed.
Isn't this old news? I thought this was always the weakness with CAPTCHA codes: present the code to real users (e.g., for access to porn) and you get someone entering the code for you.
This isn't so much about the weakness in Capcha's, which as you say is already know, but demonstrating yet another reason why "security questions" are bad for security.
Don't click links in your email....manually go directly to your related site's home page
Unless it's a password reset email, then clicking the link is safer.
Re-typing the confirmation code in to the MITM website is the only way this type of attack can work when a password reset requires an email confirmation. Clicking the link takes the man out of the middle.
Why the FUCK is this modded insightful?
A link is a fucking link. You can type in any link into your browser manually. Of you can copy and paste the text of the link. Doing so makes NO difference. You end up at the same destination.
Clicking a link or manually navigating to some other page, then manually typing in a code is the same deal (actually a bit safer as the form data isn't exposed via the URL as in the link clicking/copying scenario). A MITM attack is useless if you're connected via SSL/TLS. (Unless you believe the MITM can break SSL/TLS, at which point you're fucked regardless.)