Security Notes. Password recovery
I would like to talk a little about the approach of storytelling in this post. Everything described has real cases that have come from my personal practice, for the most part these are popular projects, so I will mention them in the text. The main thing I would like to draw your attention to is that this article may not seem interesting to information security experts, because it does not contain any new attack vectors and super cool approaches. All information is focused on developers and project managers.
When conducting audit orders, the goal is to analyze the maximum damage with the minimum actions and knowledge of the attacker. As practice shows in the harsh conditions of software production, such nuances are thought out by units of projects.
One of the popular problems is password recovery and gaining access to user accounts. Now probably there is not a single site where there is no password recovery function. I divided them into several types to consider each of them:
Of course, this is only part of a large iceberg. There are problems in other approaches, for example, OAuth, but much has been written about this and there are still technical nuances, and I'm more interested in business logic.
And so, consider the weaknesses of each of the points above.
One of the serious omissions of this approach is most often the lack of the ability to ask your own question, and after entering the correct answer, issuing a form with a new password.
According to operational information, it was found that this attack was carried out on WesternUnion and gave reason to seriously think about the security of this function, as well as temporarily limit it. After analyzing the service, it was found that the user was given a choice of 3 questions: the name of the pet, hometown and mother's maiden name. It was not difficult to get answers to these questions for dozens of users through social engineering. The social networks facebook, twitter, lj and others came to the rescue.
In addition to social engineering, there was also a more technical possibility, it was possible to select options with answers to your hometown and pet name from small dictionaries. This attack could be prevented by an additional captcha field, which was later done. Thus, due to the usual flaw in the password recovery functionality, attackers were able to gain access to the WU translation function with increased limits from profiles of compromised users. The database on which users worked out (logins and emails) was obtained from another source, through the more banal sql-injection vulnerability, a malicious code was also placed on the main page of the hacked site.
Findings:
An interesting story happened to one of the clients who asked for help. Mass complaints about password changes among users of one of the popular startup exchanges NaPartner began to be actively received. After analyzing all the steps for recovering the password, the only place where the problem could be seemed to be a unique link with only 1 parameter with md5. Having run through the base of this md5 code, the result was very quickly obtained and it turned out to be a 4-digit digital code of the form md5 (1234). A few minutes later, a ready-made testing tool was received, which accepted the user's login, sent a request for password recovery and in a few seconds picked up this unique hash in a dozen threads, after which, through a form, set its password 12345 through a unique link. The problem was solved with more complex initial ones data for hashing.
It is worth paying attention to several things:
Perhaps this is the most common and having a more complex approach for gaining access to a user account.
It is worth noting several recommendations:
Unfortunately, paragraphs 2 and 3 are very common together, which gives rise to the following algorithm for attackers: a password recovery request, a user receiving a new fixed password that is generated with a fixed length of 5 characters or only fixed-length digits. Further selection of this password.
BONUS:In one popular online game Stronghold Kingdoms there was one single sql-injection in the forms of password recovery / registration on the login field (aka email) there was an ajax-request with verification of the existence of this record in the database. A similar check is also found very often on different sites and I would like to describe the possibilities of its operation even if there is no sqli. Usually this is part of the user database: they take large databases of email addresses and run them on the site. And then they use the ones found to select the username / password. This may seem very strange and unlikely to you, but if money or enthusiasm is at stake (or maybe both), then there is nothing incredible. It is also worth noting that when recovering a password, it happens when it asks for a user login, and then it displays a message to which email the password was sent, which may also serve as a reason to gain access to this mail. Be sure to hide the email part with asterisks.
Since the previous paragraph was very boring and chewed up by K.O., I propose using the last paragraph to take a more interesting and no less common problem with temporary SMS codes, especially since this SMS code can not only be circumvented, but also make the site owner fork out .
One of the audit orders was a Ukrainian company, its name remains a secret in connection with the NDA. This is a financial service that has been fanatically tied to SMS OTP, for almost every action. This annoyed me pretty much when testing, because I had to sit in an embrace with a mobile and enter these codes every time. But as it turned out later, after authorization, it was possible to change the SMS password in the profile to a regular password. And then it seemed to me a great chance to take SMS OTP as a basis for gaining access to user accounts. The code arriving by sms always consisted of 6 digits and here it is impossible not to mention md5 (1234) which we considered above. Yes, my logic was the same. First of all, I checked the number of attempts to enter the code and they turned out to be unlimited, after it was a matter of time,
Thus, it was possible to access the test user and carry out the withdrawal of funds from the balance from him.
I did not stop there, during testing I sent myself a lot of SMS to the phone and decided to calculate the costs:
1 SMS = 0.30 kopecks * real cost of SMS for this client A
script running in 10 threads sends at least 1 request per second, that is, 10 requests per give me a sec.
In total, in 24 hours of the script we can send 10 * 60 * 60 * 24 = 864,000 sms, which will cost the client 259,200 Russian rubles (> $ 8,000).
Conclusion: use restrictions on sending SMS for one login, and the number of attempts to check OTP.
As a separate item, I want to note the sending of any information via SMS without restrictions, for example, SMS subscription to newsletter, when only the phone number is entered. Or after registration, SMS activation code.
For cybercriminals, this is a gold mine, this functionality is used to flood phones, automate your requests and enter the victim’s numbers, then fill it with your SMS with a code or message about successful signing for news.
I would like to finish this about password recovery. The only thing I would like to add is that such a vulnerability, like the insufficient complexity of passwords and hashes in huge numbers, surrounds us. The last such example is CITILINK company in which discount cards are issued only for buyers who paid at a time from 5000 rubles. The card itself is very useful and allows you to save. But technically, the card is an ordinary 6-digit number + 4-digit activation code with unlimited attempts to select this code.
It is also worth noting the recent incident with skype, when with a password recovery error it was possible to gain access to someone else's account.
When you work in this direction and each time you study different scams, sometimes you just wonder how you could even think of such a thing. You say a lot of obvious things, but all these obvious things become only after we pay attention to them, and usually this happens after the criminals committed a crime.
Very often they ask me a question, and which of the employees should be responsible for such shortcomings? And I really want to say that everyone is a little to blame. But when I look at these things not as an information security specialist, reading a bunch of news and articles, monitoring thematic forums and delving into all fraudulent schemes, but as an ordinary person without all this information, I pull myself up and stop thinking that only a person having all this mercenary disgust in his head will be able to think over all these nuances in advance and the complexity of the action will depend only on his sophisticated imagination. :)
On this, I declare the first part finished. If you like the approach in this article, I will continue to write. There are many examples that I have scattered on various topics.
When conducting audit orders, the goal is to analyze the maximum damage with the minimum actions and knowledge of the attacker. As practice shows in the harsh conditions of software production, such nuances are thought out by units of projects.
One of the popular problems is password recovery and gaining access to user accounts. Now probably there is not a single site where there is no password recovery function. I divided them into several types to consider each of them:
- Security Question - Answer
- Unique email link
- Sending a new / valid password by email
- SMS OTP (One-time password)
Of course, this is only part of a large iceberg. There are problems in other approaches, for example, OAuth, but much has been written about this and there are still technical nuances, and I'm more interested in business logic.
And so, consider the weaknesses of each of the points above.
Security Question - Answer
One of the serious omissions of this approach is most often the lack of the ability to ask your own question, and after entering the correct answer, issuing a form with a new password.
According to operational information, it was found that this attack was carried out on WesternUnion and gave reason to seriously think about the security of this function, as well as temporarily limit it. After analyzing the service, it was found that the user was given a choice of 3 questions: the name of the pet, hometown and mother's maiden name. It was not difficult to get answers to these questions for dozens of users through social engineering. The social networks facebook, twitter, lj and others came to the rescue.
In addition to social engineering, there was also a more technical possibility, it was possible to select options with answers to your hometown and pet name from small dictionaries. This attack could be prevented by an additional captcha field, which was later done. Thus, due to the usual flaw in the password recovery functionality, attackers were able to gain access to the WU translation function with increased limits from profiles of compromised users. The database on which users worked out (logins and emails) was obtained from another source, through the more banal sql-injection vulnerability, a malicious code was also placed on the main page of the hacked site.
Findings:
- The ability to ask your security question is the answer, without limits.
- To enter the correct answer, the limit on the number of attempts per unit time, for example, 10 attempts per hour
Unique email link
An interesting story happened to one of the clients who asked for help. Mass complaints about password changes among users of one of the popular startup exchanges NaPartner began to be actively received. After analyzing all the steps for recovering the password, the only place where the problem could be seemed to be a unique link with only 1 parameter with md5. Having run through the base of this md5 code, the result was very quickly obtained and it turned out to be a 4-digit digital code of the form md5 (1234). A few minutes later, a ready-made testing tool was received, which accepted the user's login, sent a request for password recovery and in a few seconds picked up this unique hash in a dozen threads, after which, through a form, set its password 12345 through a unique link. The problem was solved with more complex initial ones data for hashing.
It is worth paying attention to several things:
- The unique link must be one-time and become inactive after changing the password or authorizing the user
- There should be a limit on the number of attempts to enter the code, 5 is enough
Sending a new / valid password by email
Perhaps this is the most common and having a more complex approach for gaining access to a user account.
It is worth noting several recommendations:
- Never store the user's password in clear text and especially do not need to send it by email
- Never send a new / temporary password without first confirming the user to change it with a unique link
- Never generate new / temporary simple and short passwords
Unfortunately, paragraphs 2 and 3 are very common together, which gives rise to the following algorithm for attackers: a password recovery request, a user receiving a new fixed password that is generated with a fixed length of 5 characters or only fixed-length digits. Further selection of this password.
BONUS:In one popular online game Stronghold Kingdoms there was one single sql-injection in the forms of password recovery / registration on the login field (aka email) there was an ajax-request with verification of the existence of this record in the database. A similar check is also found very often on different sites and I would like to describe the possibilities of its operation even if there is no sqli. Usually this is part of the user database: they take large databases of email addresses and run them on the site. And then they use the ones found to select the username / password. This may seem very strange and unlikely to you, but if money or enthusiasm is at stake (or maybe both), then there is nothing incredible. It is also worth noting that when recovering a password, it happens when it asks for a user login, and then it displays a message to which email the password was sent, which may also serve as a reason to gain access to this mail. Be sure to hide the email part with asterisks.
SMS OTP (One-time password)
Since the previous paragraph was very boring and chewed up by K.O., I propose using the last paragraph to take a more interesting and no less common problem with temporary SMS codes, especially since this SMS code can not only be circumvented, but also make the site owner fork out .
One of the audit orders was a Ukrainian company, its name remains a secret in connection with the NDA. This is a financial service that has been fanatically tied to SMS OTP, for almost every action. This annoyed me pretty much when testing, because I had to sit in an embrace with a mobile and enter these codes every time. But as it turned out later, after authorization, it was possible to change the SMS password in the profile to a regular password. And then it seemed to me a great chance to take SMS OTP as a basis for gaining access to user accounts. The code arriving by sms always consisted of 6 digits and here it is impossible not to mention md5 (1234) which we considered above. Yes, my logic was the same. First of all, I checked the number of attempts to enter the code and they turned out to be unlimited, after it was a matter of time,
Thus, it was possible to access the test user and carry out the withdrawal of funds from the balance from him.
I did not stop there, during testing I sent myself a lot of SMS to the phone and decided to calculate the costs:
1 SMS = 0.30 kopecks * real cost of SMS for this client A
script running in 10 threads sends at least 1 request per second, that is, 10 requests per give me a sec.
In total, in 24 hours of the script we can send 10 * 60 * 60 * 24 = 864,000 sms, which will cost the client 259,200 Russian rubles (> $ 8,000).
Conclusion: use restrictions on sending SMS for one login, and the number of attempts to check OTP.
As a separate item, I want to note the sending of any information via SMS without restrictions, for example, SMS subscription to newsletter, when only the phone number is entered. Or after registration, SMS activation code.
For cybercriminals, this is a gold mine, this functionality is used to flood phones, automate your requests and enter the victim’s numbers, then fill it with your SMS with a code or message about successful signing for news.
I would like to finish this about password recovery. The only thing I would like to add is that such a vulnerability, like the insufficient complexity of passwords and hashes in huge numbers, surrounds us. The last such example is CITILINK company in which discount cards are issued only for buyers who paid at a time from 5000 rubles. The card itself is very useful and allows you to save. But technically, the card is an ordinary 6-digit number + 4-digit activation code with unlimited attempts to select this code.
It is also worth noting the recent incident with skype, when with a password recovery error it was possible to gain access to someone else's account.
When you work in this direction and each time you study different scams, sometimes you just wonder how you could even think of such a thing. You say a lot of obvious things, but all these obvious things become only after we pay attention to them, and usually this happens after the criminals committed a crime.
Very often they ask me a question, and which of the employees should be responsible for such shortcomings? And I really want to say that everyone is a little to blame. But when I look at these things not as an information security specialist, reading a bunch of news and articles, monitoring thematic forums and delving into all fraudulent schemes, but as an ordinary person without all this information, I pull myself up and stop thinking that only a person having all this mercenary disgust in his head will be able to think over all these nuances in advance and the complexity of the action will depend only on his sophisticated imagination. :)
On this, I declare the first part finished. If you like the approach in this article, I will continue to write. There are many examples that I have scattered on various topics.
Only registered users can participate in the survey. Please come in.