At the IEEE Symposium on Security and Privacy 2017, researchers from the College of Management Academic Studies in Israel presented an interesting paper on bad password reset processes, \u201cThe Password Reset MitM Attack\u201d (pdf). It explains how a weak attacker could take over accounts by exploiting vulnerabilities in password reset procedures.They dubbed the attack: password reset man-in-the-middle (PRMitM). The researchers said Google is \u201cextremely vulnerable\u201d to PRMitM, but Facebook, Yahoo, LinkedIn, Yandex and other sites and email services are also vulnerable as well as mobile apps like Whatsapp, Snapchat and Telegram.To pull off a password reset man-in-the-middle, an attacker only needs to setup a website that requires users to register for the site in order to access whatever bait the site is using; it might be free services, free software, or some other freebie that can only be downloaded by logging in. The registration process may ask for differing bits of basic information, but as soon as a victim enters his email address, the automated attack can begin.The attacker goes to the specified email provider or site and starts the \u201cforgot my password\u201d process. If a CAPTHCA challenge is presented, the attacker forwards it to the victim and forwards the answer back to the site where the attacker is trying to break into an account.The remaining security questions presented to the registering victim are the security questions which the attacker is being asked to answer during the password reset procedure. The attacker forwards the asked security questions to the victim and then forwards the victim\u2019s answers back to the site where he initiated a password reset.Some sites use answers to security questions for a password reset, so in one experiment, the researchers asked participants to register on a website and to give their mother\u2019s maiden name as a security question. Nearly 77 percent went ahead and handed over the real answer to a low-importance website. Since it is a bit like handing over the keys to your digital kingdom, it is better to give the correct answer to security questions such as mother\u2019s maiden name only to highly important sites (think banking). As long as you can remember what you answered, it is better security to not answer truthfully\u2026and not to use that same exact answer on other sites.PRMitM can defeat 2FAPRMitM can defeat two-factor authentication. In this scenario, an attacker doesn\u2019t need to trick a wireless provider into porting a phone number to a different mobile device under his control. If the victim\u2019s account which the attacker is trying to take over requires authentication (2FA) via mobile device, the attacker\u2019s site will ask for the victim\u2019s phone number during registration. The attacker will then claim to have sent a code which the victim needs to enter, but it is really the code the attacker is being asked to provide during the password reset procedure.You would think a victim would notice the security code sent to her phone is the verification code for a different service, but not sites identify themselves when sending SMS. The code might just come from a phone number without indicating which service sent it. Other times, users might not be paying enough attention to the sender; if they are waiting on a code, they might enter it as soon as it is received instead of actually reading the full message.The researchers found that Google, for example, sends a code saying it is a Google verification code, but does not say it is for a password reset. Netflix sends a verification code without identifying it came from Netflix, just showing the number from where it sent. eBay sends a PIN without indicating it is from eBay. Microsoft, Facebook and Twitter indicate in the SMS that it is an account password reset code.PRMitM vulnerabilities in Whatsapp, Snapchat and TelegramThe researchers found similar password reset vulnerabilities in messaging apps when it comes to SMS messages sent during a password reset. Whatsapp, Snapchat and Telegram also offer a phone call method for a password reset. However, the researchers noted, \u201cIn the phone calls of Whatsapp, Snapchat and Telegram, there is neither indication to the source of the call nor explanation about the meaning of the received code nor warning about not giving away the code.\u201dThe researchers present numerous countermeasures and guidelines which would help protect against PRMitM attacks. The suggested rules and recommendations can be used by vulnerable sites to improve password reset procedures.As for the vulnerable vendors identified in the paper, the researchers said they reported their findings to each.Vendors that are severely vulnerable to the PRMitM attack, either fixed the vulnerability (Snapchat, Yahoo!) or informed us that they plan to fix the vulnerability (Google, LinkedIn and Yandex). Other websites, which are less vulnerable (e.g., Facebook) thanked us, and told us they will consider using our findings in the future, but they do not plan to apply fixes soon.