Slashdot Mirror

← Back to Stories (view on slashdot.org)

Account Registrations Enable 'Password Reset Man In The Middle' Attacks (helpnetsecurity.com)

Posted by EditorDavid on from the three-factor-authentication dept.

"Attackers that have set up a malicious site can use users' account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated." Orome1 quotes Help Net Security: The Password Reset Man in the Middle attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource. Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on). Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.
Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.

3 of 79 comments (clear)

  1. "security questions" bite us again by Anonymous Coward · · Score: 5, Insightful

    This illustrates the weakness of "security questions". Providing additional information to third party sites is never a good idea; the site should function with least amount of data as possible. A bank doesn't need to know what their customers' best childhood friends' names, or favorite colors are. I've always treated these as secondary passwords, generating a random string for each.

  2. Re:People really are fucking stupid by hawguy · · Score: 3, Funny

    Interestingly, it can also beat two-factor authentication -- since the targeted user will still input the phone code into the man-in-the-middle site.

    You'd think that someone trying to sign up for AwesomePorno.com, who suddenly gets a text message from Google that says "The Gmail code you requested is 8926," when they didn't request any code from Gmail, might notice that something hinky is going on. But no, people are god damned idiots. No wonder we wound up with a failed reality show clown in the White House.

    He's signing up for AwesomePorno.com despite the huge number of free no-signup-required porn sites out there, so he's already shown that he's not the sharpest tool in the shed.

  3. Re:So, don't do stupid shit. by viperidaenz · · Score: 4, Insightful

    Don't click links in your email....manually go directly to your related site's home page

    Unless it's a password reset email, then clicking the link is safer.
    Re-typing the confirmation code in to the MITM website is the only way this type of attack can work when a password reset requires an email confirmation. Clicking the link takes the man out of the middle.