Password recovery - hackers, welcome!

Each of us at least once in his life faced a situation where the password from the mail is forgotten, but you need to see the letters. Here we come to the aid of the password recovery procedure, which caring services have developed specifically for such cases. It is this procedure that raises the most questions from a security point of view. As it turned out, not in vain.

Our research center Positive Research looked at how easy it is to get unauthorized access to the user accounts of VKontakte, Facebook, Google, Mail.Ru and Yandex. And not by technical attacks, but only with the help of social engineering.
')
Wikipedia describes social engineering as a method of managing people without the use of technology. In our case, this is a way to obtain unauthorized access to a person’s personal information, again, without using any special knowledge or tools.

Of course, you can always send a phishing email and force the user to go to the site, where he will light up his login and password, or toss the Trojan and wait. There are many ways. But we were interested in more. We wanted to check how realistic it is to access the user account using only publicly available information that can be found on the Internet. No user interaction. Without technical frills. No “zero day” vulnerabilities.


Back to the Future. "Vkontakte", Google, Mail.Ru

We managed to get access to the accounts of all these services.
In the case of Vkontakte and Google, it turned out that, having certain information about the user (contacts, photo, secret question), one can easily access his account.



Vkontakte pays considerable attention to ensuring the safety of users and came up with their own password recovery method. You will even be offered to take a picture on the background of the password recovery procedure page with preloading the scan of an identity document. Everything would be fine, but Vkontakte use the weakest link to check - the person. For which he paid - as a result of a series of manipulations with the password recovery form and contact information and correspondence with the support service, access to the user’s page was received in less than a day.



Google is about the same situation. Password recovered quite easily. And after gaining access to your Gmail.com account, we have at our disposal all the services with which the user works - from Youtube to Picasa. For example, the password recovery procedure was launched at the moment when the account holder continued to work with Google services: communicated through GoogleTalk, downloaded files from the Android Market. Services stopped working suddenly, without any warning from Google. Moreover, such a attack could not stop even two-factor authorization with reference to a mobile phone.



With Mail.Ru the situation is more complicated. This service is also friendly with its users and meets them in many ways. On the one hand, this is good news, on the other hand, it provides excellent opportunities for hackers. Here, publicly available information was not enough. However, after virtual communication directly with the victim, who kindly provided us with all the necessary data, access to the account was obtained without any problems.


Forward to the future. Facebook



The social network Facebook has demonstrated the most balanced approach that combines the concern for the convenience and safety of the user. The protection scheme is not quite standard - linking to e-mail, linking to the phone and the ability to use friends to restore access to the page. And friends should be people whom you know not 1 or 2 days - we could not get into the list of trusted representatives of the user even after two weeks of activity. In the same case, if you no longer have access to the mail and secret question, Facebook reports that it can not do anything. And advises to register again.




Separately, I would like to highlight Yandex. This is a great example of how not to tighten the screws. We were unable to access the user account due to too stringent password recovery requirements. For example, they took away your mailbox with Yandex.Money. Phone you are not tied. The secret password is not remembered. Support service requires a passport. Everything is lost. And Yandex.Money, and Yandex.Mail.


So, what conclusions can be drawn:

• password recovery function - a weak place in the system of protection of the user of mass online services;
• the need to strike a balance between the convenience of the service for users and its security comes to the fore for Internet resources;
• users are rather frivolous about security rules and their own data, thereby inevitably assisting intruders.

In this way:

In contact with	Got access	Access to data is easy to get, loyal technical support
Google	Got access	Access to data is easy to get, loyal technical support
Mail.Ru	Got access	Access to data can be obtained, but only after communication with the user.
Facebook	Access not received	Access to the data can not be obtained, Facebook - well done!
Yandex	Access not received	Access to the data cannot be obtained, but very strict requirements for the password recovery procedure

The steps to recover passwords concerned real user accounts of VKontakte, Facebook, Google, Mail.Ru and Yandex. We informed the owners of these accounts of the research objectives and received their consent to perform actions with their accounts. After the completion of the project, access details were returned to the owners; no additional actions were taken using this data. All online resources with which we worked also received notifications about found vulnerabilities and took steps to eliminate the detected shortcomings.

Our research does not end there, Positive Technologies continues to analyze the security of social networks and other popular Internet services. We will present the results of new research at the Positive Hack Days international forum on practical security, which will be held on May 30-31, 2012 in Moscow.

News - in our blog!