searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
  • (IN)SECURE Magazine
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
June 23, 2017
Share

Password Reset MITM: Exposing the need for better security choices

Attackers that have set up a malicious site can use users’ account registration process to successfully perform a password reset process on a number of popular websites and messaging mobile applications, researchers have demonstrated.

The Password Reset MITM attack

The Password Reset Man in the Middle (PRMITM) attack exploits the similarity of the registration and password reset processes.

To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource (e.g. free software). Once the user initiates the account registration process by entering their email address, the attacker can use that information to initiate a password reset process on another website that uses that piece of information as the username (e.g. Google, YouTube, Amazon, Twitter, LinkedIn, PayPal, and so on).

Every request for input from that site is forwarded to the potential victim, and then his or her answers forwarded back to that particular site.

In the most basic form (when the password reset request depends on security questions), the attack looks like this:

Password Reset MITM

But the attack is also very successful if the password reset request depends on an SMS code for confirmation, or a phone code delivering the code.

The potential victim is, along with the email address, asked to input their mobile phone number so that the malicious site can “verify” that they are who they say they are and, in the majority of cases, they fail to find it suspicious that the SMS or phone call is coming from Google, or Facebook, and so on.

That failure is down to several things:

  • Some sites fail to identify themselves as the sender of the SMS or the caller delivering the code (e.g. the user sees just a phone number, and the message does not explicitly say from which service it comes from)
  • Many users don’t read or really hear the text in the message/phone call – they simply do not register it – but zero-in on the offered numeric code. Some users do not even open the message, but read the code from the notifications bar
  • A reset code message may come in an unknown language, confusing users and making them focus even more on just the code
  • Some users may notice that the message was sent from Facebook (for example), but perhaps believe that the login is done using the widely used login with Facebook mechanism.

Workable solutions

The researchers have executed a few experiments, confirming the high probability of such an attack to be successful, and have notified of their findings the companies running many popular websites that have vulnerable password reset processes.

They have shared with them some general guidelines that can be applied to prevent Password Reset MITM attacks, including avoiding relying on security questions, restricting the validity of the reset code to a short time, notifying users by email and phone when a password reset request is sent, not sending a code but a link, and adding interactivity to the phone call so that users are forced to listen to the message and understand what they are doing.

“Vendors that are severely vulnerable to the PRMITM attack, either fixed the vulnerability (Snapchat, Yahoo!) or informed us that they plan to fix the vulnerability (Google, LinkedIn and Yandex). Other websites, which are less vulnerable (e.g., Facebook) thanked us, and told us they will consider using our findings in the future, but they do not plan to apply fixes soon,” the researchers concluded.




More about
  • account hijacking
  • authentication
  • MITM
  • passwords
  • research
  • web application security
Share this

Featured news

  • How businesses are prioritizing data privacy
  • How parents can talk about online safety and personal info protection with their kids
  • Why digital trust needs to be a strategic imperative for your company
Detection, isolation, and negotiation: Improving your ransomware preparedness and response

What's new

Cyber Week 2022 video walkthrough

Evaluating the use of encryption across the world’s top one million sites

EMEA continues to be a hotspot for malware threats

Evolving online habits have paved the way for fraud. What can we do about it?

Don't miss

Evaluating the use of encryption across the world’s top one million sites

Evolving online habits have paved the way for fraud. What can we do about it?

How businesses are prioritizing data privacy

Photos: Cyber Week 2022

How parents can talk about online safety and personal info protection with their kids

Help Net Security - Daily information security news with a focus on enterprise security.
Follow us
  • Features
  • News
  • Expert Analysis
  • Reviews
  • Events
  • Reports
  • Whitepapers
  • Industry news
  • Newsletters
  • Product showcase
  • Twitter

In case you’ve missed it

  • OT security: Helping under-resourced critical infrastructure organizations
  • How to keep your NFTs safe from scammers
  • Is your organization ready for Internet Explorer retirement?
  • Attackers aren’t slowing down, here’s what researchers are seeing

(IN)SECURE Magazine ISSUE 71.5 (June 2022)

Several of the most pressing topics discussed during this year’s Conference included issues surrounding privacy and surveillance, the positive and negative impacts of machine learning and artificial intelligence, the nuances of risk and policy, and more.

Read online
© Copyright 1998-2022 by Help Net Security
Read our privacy policy | About us | Advertise