lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090502090555.22696.qmail@securityfocus.com>
Date: 2 May 2009 09:05:55 -0000
From: innate@....de
To: bugtraq@...urityfocus.com
Subject: about inactive account hijacking

INACTIVE ACCOUNT HIJACKING

author:	        l0om
page:		l0om.org
date:		02.05.2009

OVERVIEW:

I would like to draw your attention on a problem that is already known and is surely exploited for a long time, but clearly seems to be underestimated.

the problem is explained quickly:
- email service provider delete inactive accounts after six or twelve months of inactivity and release the adresse (nearly every big email provider does it)
- many platforms (webshops, forums, etc...) do NOT delete inactive accounts

This asymmetry in handling inactive accounts has the consequence that thousands of accounts of various online platforms can be hijacked by attackers without any technical difficulties.

The procedure is so simple that it hardly needs to be mentioned:
- An attacker takes an old email address and try to register this email account at the email service provider.
- If it can be registered, it is assumed that the account has been released (or has never existed).
- Then the attacker tries at a variety of online platforms to create accounts for the just mentioned email address.

+ If the registration would be successful, there is no account for this email address at this online platform registered
+ If the registration fails, because it already have an account there, there has been found a registered account for this email address and now its getting ugly.
	
an attacker can hijack the account of the online platform if he simply register the email account and now uses the forgotten-the-password-function. the attacker gets a link which can be used to set a new password. Now he has the user data and the functions of the original owner in his control.

jeopardized are all possible online systems with such a forgotten-password-functional in use.

furthermore on holidays an attacker gets newsletter emails which lead the attacker to another accounts.

one interesting fact is that especailly very big platforms (webshops and forums which are kinda oldschool for the net) are vulnerable.

DEFENSE:

it is necessary to process as quick as possible the forgotten-the-password-function on large platforms. instead of just ask for the emailaddress to identify yourself you should be asked for eg. the last numbers of your banking account. this information shouldnt be found somewhere in the internet. this will make the efficient execution of the attack impossible.
furthermore newsletter scripts should check for delivery-faild messages caused by non existing accounts. such accounts can be locked and should be locked (maybe deleted).

GREETINGS:

John K., IČ, Molke, McFly, Takt, Proxy, johnny long, murfie, Maximilian, Theldens, Commander Jansen, detach, ole 
and last but not least Jquade

FLAMES:

salem, the knilch

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ