|
Business Logic Flaws :: Password Recovery ::
Class: Weak Password Recovery Validation
 The business owners of a website plan to reduce support costs by supplementing expensive customer support representatives with a Web-based customer self-service tool. One feature includes the ability to recover forgotten passwords. If a user wants to reset their password, they enter their email address and answer a previously defined secret question. The question is something personal, which makes it easy to remember, and in this case happens to be their favorite color. When the user correctly answers the question, they’re presented with an HTML form to enter a brand new password.
1. Can you spot the security problem?
There are very few available colors that the average user might choose, making it really easy for an attacker to guess all the common possibilities (red, blue, green, black, etc.). To compensate for the oversight, the business owners decide to introduce another secret question, but this time one that would be harder to guess. The date of birth (DOB) is decided upon, which includes the month, day and year, because it provides a significantly larger amount of possible answers. Should the user correctly answer both secret questions (color and DOB) they would be allowed to reset their password.
2. Can you spot the security problem?
There are actually a few problems. While the DOB is harder to guess, the data isn’t exactly confidential (besides the fact that it only has roughly 16,200 possible answers (12 x 30 x between the ages of 15 and 60)), based upon possible average user demographics. Attackers attempting to brute force the answer may easily do so at an average speed of 1 guess per second, taking only 4.5 hours to exhaust them all.
Which bring us to the next problem: There is no limit on the number of guesses an attacker may try before the account is locked for a period of time or protected with a CAPTCHA.
Undeterred, the business owners decide to add yet another secret question. But this time they pick the user’s city of birth (COB). Certainly only the real user would be able to correctly answer all three answers, and no way an attacker could guess their way through. Also added was an image-based CAPTCHA system to prevent brute force attacks.
3. Can you spot the security problem?
While the secret questions are steadily becoming harder for an attacker to guess, not to mention more of a burden on the users, the COB often doesn’t scale internationally. For example in Mexico, home to 106 million people, 30% of the population is from one of five urban areas (Mexico City, Guadalajara, Monterrey, Puebla and Toluca)*.
Suddenly, what was a hard to guess secret question for a U.S. citizen has been greatly reduced to 1 in 5 for roughly 1/3 of Mexican users.
Next, the business owner decides that instead of fighting the cat and mouse game of secret questions, which negatively impact the user experience, they can utilize the user’s email address. Certainly only the real user has access to their inbox, and email sniffing is considered an acceptable risk. When a user requests a password reset, the back-end system sends them an email containing the following link for them to click on: http://website/password_reset?account=user@email.tld
When clicked, the user is presented with a password reset form.
4. Can you spot the security problem?
The URL format is predictable. Attackers can easily brute force email addresses to reset user account passwords; that is, if they can’t find valid addresses ahead of time. To improve the security of the system, the user’s email address is removed and replaced with a session ID to track which account the request is tied to. To ensure uniqueness , the session ID uses a 12-digit number that increments each time a user requests a password reset. For example:
http://website/password_reset?id=000000001000
http://website/password_reset?id=000000001001
http://website/password_reset?id=000000001002
5. Can you spot the security problem?
To reset another account password, a malicious user would first attempt to reset their own password a few times in order to analyze the new URL format. They would notice that the format uses a predictable incrementing number. In one attack they could decrement their session ID number manually to see if they can beat any users to resetting their passwords. Or, they could initiate an account password reset for a user and start incrementing the session ID in the URLs until they find the right number.
Solution
Password recovery systems are especially difficult to secure against abuse. The best way is to keep them as simple as possible and utilizing a user’s email address provides a well-accepted form of authentication. Make sure the session identifiers are not predictable by an attacker.
References
* Demographic Information for Mexico
|
