Even weak hackers can pull off a password reset MitM attack via account registration

At the IEEE Symposium on Security and Privacy 2017, researchers from the College of Management Academic Studies in Israel presented an interesting paper on bad password reset processes, “The Password Reset MitM Attack” (pdf). It explains how a weak attacker could take over accounts by exploiting vulnerabilities in password reset procedures.

They dubbed the attack: password reset man-in-the-middle (PRMitM). The researchers said Google is “extremely vulnerable” to PRMitM, but Facebook, Yahoo, LinkedIn, Yandex and other sites and email services are also vulnerable as well as mobile apps like Whatsapp, Snapchat and Telegram.

To pull off a password reset man-in-the-middle, an attacker only needs to setup a website that requires users to register for the site in order to access whatever bait the site is using; it might be free services, free software, or some other freebie that can only be downloaded by logging in. The registration process may ask for differing bits of basic information, but as soon as a victim enters his email address, the automated attack can begin.

The attacker goes to the specified email provider or site and starts the “forgot my password” process. If a CAPTHCA challenge is presented, the attacker forwards it to the victim and forwards the answer back to the site where the attacker is trying to break into an account.

The remaining security questions presented to the registering victim are the security questions which the attacker is being asked to answer during the password reset procedure. The attacker forwards the asked security questions to the victim and then forwards the victim’s answers back to the site where he initiated a password reset.

Some sites use answers to security questions for a password reset, so in one experiment, the researchers asked participants to register on a website and to give their mother’s maiden name as a security question. Nearly 77 percent went ahead and handed over the real answer to a low-importance website. Since it is a bit like handing over the keys to your digital kingdom, it is better to give the correct answer to security questions such as mother’s maiden name only to highly important sites (think banking). As long as you can remember what you answered, it is better security to not answer truthfully…and not to use that same exact answer on other sites.

PRMitM can defeat 2FA

PRMitM can defeat two-factor authentication. In this scenario, an attacker doesn’t need to trick a wireless provider into porting a phone number to a different mobile device under his control. If the victim’s account which the attacker is trying to take over requires authentication (2FA) via mobile device, the attacker’s site will ask for the victim’s phone number during registration. The attacker will then claim to have sent a code which the victim needs to enter, but it is really the code the attacker is being asked to provide during the password reset procedure.

You would think a victim would notice the security code sent to her phone is the verification code for a different service, but not sites identify themselves when sending SMS. The code might just come from a phone number without indicating which service sent it. Other times, users might not be paying enough attention to the sender; if they are waiting on a code, they might enter it as soon as it is received instead of actually reading the full message.

The researchers found that Google, for example, sends a code saying it is a Google verification code, but does not say it is for a password reset. Netflix sends a verification code without identifying it came from Netflix, just showing the number from where it sent. eBay sends a PIN without indicating it is from eBay. Microsoft, Facebook and Twitter indicate in the SMS that it is an account password reset code.

PRMitM vulnerabilities in Whatsapp, Snapchat and Telegram

The researchers found similar password reset vulnerabilities in messaging apps when it comes to SMS messages sent during a password reset. Whatsapp, Snapchat and Telegram also offer a phone call method for a password reset. However, the researchers noted, “In the phone calls of Whatsapp, Snapchat and Telegram, there is neither indication to the source of the call nor explanation about the meaning of the received code nor warning about not giving away the code.”

The researchers present numerous countermeasures and guidelines which would help protect against PRMitM attacks. The suggested rules and recommendations can be used by vulnerable sites to improve password reset procedures.

As for the vulnerable vendors identified in the paper, the researchers said they reported their findings to each.

Vendors that are severely vulnerable to the PRMitM attack, either fixed the vulnerability (Snapchat, Yahoo!) or informed us that they plan to fix the vulnerability (Google, LinkedIn and Yandex). Other websites, which are less vulnerable (e.g., Facebook) thanked us, and told us they will consider using our findings in the future, but they do not plan to apply fixes soon.