lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001201c4f018$c9989d40$9865fea9@island55>
Date: Sat, 1 Jan 2005 10:44:31 -0500
From: "Steven" <steven@...ebug.org>
To: <bugtraq@...urityfocus.com>, <bugs@...uritytracker.com>,
        <vulnwatch@...nwatch.org>, <full-disclosure@...ts.netsys.com>
Subject: AOL's Online Password Reset feature does not
	fully validate user information

Vendor:   America Online Inc.
Date:     January 1, 2005
Issue:    AOL's Online Password Reset feature does not fully validate user information
URL:      http://www.aol.com 
Advisory: http://www.lovebug.org/aolpwreset_advisory.txt


Service Overview:

This report is in reference to the Online Password Reset that exists for the AOL client for paying user accounts and not AOL Instant Messenger.  I think chances are if you're reading this, you should be familiar that AOL is still the world's largest Internet Service Provider.

Issue:

AOL has an Online Password Reset feature that enables users that have forgotten their password to reset it online.  This features comes by way of a window that may popup if the user has supplied an invalid password two times in a row. (Note: This does not apply when signing on as Guest or at New User).  The first screen that pops up is a word verification screen.  The user must simply write the letters in a box that are displayed from an image.  Upon doing this the user is brought to the next and most important screen in the process.  This is the Member Verification screen where they must enter the First Name, Last Name, and the Daytime and Evening Phone Number along with the Last 4 Digits of their billing method account number or the answer to an account security question (if one is set).  If an account security question is in place, it will only ask the user for the First Name and Last Name, and the answer to the account security question.  It will not ask for the phone numbers or the last four digits of the billing method.

While these may not be the most secure items to ask for to begin with, there is an issue with user input validation.  To successfully reset the password for an account, the user does NOT need to supply the full first or last name.  In fact, only the first letter of both is required.  If the name on my account were Homer Simpson, all I would need to do is type in H and S for the first and last name.  The next issue is that it does not appear to check both daytime and evening phone numbers.  In my limited testing, I have found that you can simply enter one correct phone number in either field and the second phone number does not matter (in fact you can just put 555-555-5555).  However, in their credit it appears that the answer to the security question must be complete and exactly as originally typed. Also, if the last four digits of the billing method comes up, the exact and entire four must be entered correctly for validation.

This results in a problem with only having to supply a limited bit of information to reset a password.  On an even more extreme note, this could also be used to discover information about an account.  The user is given 4 tries to get the information correct to reset the password.  If the user enters some fields correctly but others incorrectly, the Online Reset window will return the correct fields with the previously entered information and leave all invalid fields blank.  This can be used to verify a name, phone number, and billing digits on the account.

Solutions: 

At the login screen intentionally typed your password incorrectly two times.  When the password reset window pops up, enter the word verification and then go to Member Verification screen.  At this point just enter bogus information four times until it boots you off.  This will disable the online reset feature for the screen name since the information was entered incorrectly.  The feature will probably be turned on again at some point after a given period of time, but I believe it is a rather long period of that's the case.  Also, don't use a security question with an easy answer that people might know or is flat out guessable (i.e. What is my favorite color?).


Vendor Response:

After my previous bug reports related to America Online, I noted that I had knowledge of more (and I still do) and would be more than willing to share this information with the vendor if they cared to hear it.  I received a response from AOL not too long after that, but it seems that maintaining the communication is rather difficult for some reason.  The vendor has not been notified of this problem, atleast not until reading this.

My e-mail address hasn't change and works fine: <steven@...ebug.org> | If anyone at AOL is interested in knowing bugs prior to disclosure, feel free to drop me a line.  There's a few more you might like to know about :-)

Credits:

Myself and the year 2005.

Go Hokies! Sugar Bowl Time! :D


-Steven
steven@...ebug.org


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ