Password recovery - hackers, welcome!

    Hacker

    Each of us has at least once in a lifetime encountered a situation when the password for the mail is forgotten, but you need to look at the letters. Here the password recovery procedure comes to our aid, which caring services have developed specifically for such cases. This procedure raises the most questions from the point of view of safety . As it turned out, not in vain.

    Our research center Positive Research looked at how easy it is to get unauthorized access to user accounts on VKontakte, Facebook, Google, Mail.Ru and Yandex. And not through technical attacks, but only through social engineering.

    Wikipediadescribes social engineering as a method of managing people without using technical means. In our case, this is a way of gaining unauthorized access to a person’s personal information, again, without using any special knowledge or tools.

    Of course, you can always send a phishing email and force the user to go to the site where he will highlight his username and password, or toss a trojan and wait. There are many ways. But we were interested in something else. We wanted to check how realistic it is to access the user account using only publicly available information that can be found on the Internet. No user interaction. Without technical frills. No zero day vulnerabilities.


    Back to the Future. Vkontakte, Google, Mail.Ru

    We were able to access the accounts of all these services.
    In the case of Vkontakte and Google, it turned out that, having certain information about the user (contacts, photo, security question), you can easily access his account.

    In contact with

    Vkontakte pays quite a lot of attention to ensuring the security of users and came up with its own method of password recovery. You will even be offered to take a picture on the background of the password recovery procedure page with pre-loading a scan of an identity document. Everything would be fine, but Vkontakte uses the weakest link for verification - a person. They paid for it - as a result of a series of manipulations with the password recovery form and contact details and correspondence with the support service, access to the user’s page was obtained in less than a day.

    Google

    Google is about the same situation. Password recovery is pretty easy. And after gaining access to the Gmail.com account, we have at our disposal all the services the user works with - from Youtube to Picasa. For example, the password recovery procedure was started at the moment when the account owner continued to work with Google services: he talked through GoogleTalk, downloaded files from the Android Market. Services stopped working all of a sudden, without any warning from Google. Moreover, even two-factor authorization tied to a mobile phone could not stop such an attack.

    Mail.Ru

    With Mail.Ru, the situation is more complicated. This service is also friendly to its users and goes towards them in many matters. On the one hand, this cannot but rejoice, on the other, it provides excellent opportunities for hackers. There was not enough publicly available information. However, after virtual communication directly with the victim, who kindly provided us with all the necessary data, access to the account was obtained without any problems.


    Forward to the future. Facebook

    Facebook

    The social network Facebook has shown the most balanced approach, which combines concern for the convenience and safety of the user. The protection scheme is not quite standard - binding to e-mail, binding to the phone and the ability to use friends to restore access to the page. Moreover, friends should be people whom you know not for 1 or 2 days - we could not get into the list of trusted representatives of the user even after two weeks of activity. In the same case, if you no longer have access to mail and a secret question, Facebook reports that it can not do anything. And advises you to register again.


    image

    Separately, I would like to highlight Yandex. This is a great example of how you should not tighten the nuts. We were unable to access the user account due to too stringent requirements for the password recovery procedure. For example, you’ve taken away your Yandex.Money mailbox. You have not tied the phone. The secret password was not remembered. Support requires a passport. Everything is lost. And Yandex.Money, and Yandex.Mail.


    So, what conclusions can be drawn:

    • password recovery function - a weak spot in the user’s protection system of mass online services;
    • the need to maintain a balance between the convenience of the service for users and its security comes to the fore for Internet resources;
    • users are rather frivolous about security rules and their own data, thereby unwittingly providing assistance to attackers.

    Thus:
    In contact withGot Access Access to data is easy, loyal technical support
    GoogleGot AccessAccess to data is easy, loyal technical support
    Mail.RuGot AccessYou can access the data, but only after communicating with the user
    FacebookAccess not received You can’t access the data, Facebook is great!
    YandexAccess not received You cannot access the data, but very strict requirements for the password recovery procedure


    Password recovery actions concerned real user accounts of VKontakte, Facebook, Google, Mail.Ru and Yandex. We informed the owners of these accounts about the objectives of the study and received consent from them to perform actions with their accounts. After the completion of the project, the access details were returned to the owners, no additional actions were carried out using this data. All the Internet resources we worked with also received notifications about the vulnerabilities found and took measures to eliminate the detected shortcomings.

    Our research does not end there - Positive Technologiescontinues to analyze the security of social networks and other popular Internet services. We will present the results of new studies at the Positive Hack Days international forum on practical safety , which will be held May 30-31, 2012 in Moscow.

    News on our blog!

    Also popular now: