Security notes. Password recovery
I would like to talk a little about the approach of the story in this post. Everything described has real cases from my personal practice, most of which are popular projects, so I will mention them in the text. The main thing I would like to draw your attention to is that this article may not seem interesting to information security specialists, since it does not contain any new attack vectors and super cool approaches. All information is focused on developers and project managers.
Carrying out orders for an audit, the goal is to set the analyst of maximum damage with minimal actions and knowledge of the attacker. As practice shows in the harsh conditions of software production, such nuances are thought out by project units.
One popular problem is password recovery and access to user accounts. Now probably there is no site where the password recovery function would be. I divided them into several types to consider each of them:
Of course, this is only part of a large iceberg. There are problems in other approaches, such as OAuth, but this has already been written a lot and there are still technical nuances, but I am more interested in business logic.
')
And so, consider the weaknesses of each of the points above.
One of the serious omissions of this approach is often the inability to ask your question, as well as after entering the correct answer, issuing a form with entering a new password.
According to operational information, it was found out that this attack was carried out on WesternUnion company and gave reason to seriously think about the security of this function, as well as temporarily limit it. After analyzing the service, it was found that the choice for the user was given 3 options for questions: the name of the pet, hometown and mother's maiden name. Answers to these questions to get for dozens of users by means of social engineering was not difficult. The social networks facebook, twitter, lj and others came to the rescue.
In addition to social engineering, there was also a more technical possibility; it was possible to choose the variants with the answer to the hometown and the name of the pet using small dictionaries. This attack could be prevented by an additional field of captcha, which was subsequently done. Thus, due to the usual flaws in the password recovery functionality, attackers were able to access the WU transfer function with elevated limits from compromised user profiles. The database on which users were worked out (logins and emails) was obtained from another source, through the more banal sql-injection vulnerability, and the malicious code was also placed on the main page of the hacked site.
Findings:
An interesting story happened to one of the clients who asked for help. Mass complaints about password changes among users of one of the popular start-up exchange, NaPartner, began to be actively received. After analyzing all steps of password recovery, the only place where there could be a problem seemed to be a unique link having only 1 parameter with md5. Having banished this md5 code from the base, the result was obtained very quickly and it turned out to be a 4-digit numeric code of the form md5 (1234). A few minutes later, a ready-made tool for testing was received, which took the user's login, sent a password recovery request, and in a matter of seconds picked up this unique hash for a dozen threads, and then put the 12345 password through a unique link. The problem was solved with a more complicated source data for hashing. A similar problem was repeatedly observed in other clients.
Pay attention to a few things:
Perhaps this is the most common and having a more complex approach to gain access to a user account.
Here it is worth noting several recommendations:
Unfortunately, the 2 and 3 points are often found together, which gives the attackers the following actions: requesting a password to recover, getting a new fixed password generated by the user of a fixed length of 5 characters or only digits of a fixed length. Further selection of this password.
BONUS: In one popular online game Stronghold Kingdoms there was only one sql-injection in the password recovery / login forms on the login field (also known as email) there was an ajax request checking the existence of this record in the database. Such a check is also very common on different sites and I would like to describe the possibilities of its operation even if there is no sqli. Usually, this is the receipt of a part of the user base: they take large databases of email addresses and run them on the site. And then use the found for the selection of login / password. This may seem very strange and unlikely to you, but if money or enthusiasm (or both) is at stake, then there is nothing improbable. It is also worth noting that when recovering a password, it happens when you are asked to enter a username, and then a message is sent to which email password was sent, which can also serve as an occasion to gain access to this mail. Be sure to hide part of the email asterisks.
Since the previous item was a very boring and chewed KO, I suggest that the last item take a more interesting and equally common puzzle with time SMS codes, especially since this SMS code can not only be circumvented, but also get the site owner to fork out .
One of the orders for the audit was the Ukrainian company, its name remains a secret in connection with the NDA. This is a financial service that was fanatically tied to SMS OTP, almost for every action. I was pretty annoyed when testing, because I had to sit in an embrace with a mobile and enter these codes every time. But as it turned out later, after authorization it was possible to change the SMS password in the profile to a normal password. And here it seemed to me a great chance to take SMS OTP as the basis for gaining access to user accounts. The code coming in via sms was always 6 digits, and it’s impossible not to mention md5 (1234) which we considered above. Yes, I had the same logic. First of all, I checked the number of attempts to enter the code and they were unlimited, after it was a matter of time, writing a working prototype for selecting SMS OTP and sending a request to install 12345 in my password profile.
In this way, we managed to get access to the test user and make a withdrawal of funds from the balance from him.
I didn’t stop there, during testing I sent a lot of text messages to my phone and decided to calculate the costs:
1 sms = 0.30 cop * real cost of sms for this client
A script running in 10 threads sends at least 1 request per second, that is, 10 requests per second.
Total for 24 hours of the script, we can send 10 * 60 * 60 * 24 = 864 000 sms, which will cost the client 259,200 Russian rubles (> $ 8,000).
Conclusion: use the limitations of both sending SMS for one login, and the number of attempts to check OTP.
A separate item I want to mention sending any information on SMS without restrictions, for example SMS subscription to the newsletter, when you enter only the phone number. Or after registering SMS activation code.
For intruders, this is a gold mine, this functionality is used to flood phones, automate your requests and enter victim numbers, and then flood it with your text messages with a code or message about successful signing for the news.
On this about password recovery I would like to finish. The only thing I would like to add is that such a vulnerability, as the lack of complexity of passwords and hashes in huge numbers surrounds us. The last such example is CITILINK company where discount cards are issued only for buyers who have paid for the time from 5000r. The card itself is very useful and allows you to save. But technically the card is the usual 6-digit number + 4-digit activation code with unlimited attempts to select this code.
It is also worth noting the recent skype incident, when, in case of a password recovery error, it was possible to get access to someone else's account.
When you work in this direction and every time you study different scams, sometimes you just wonder how you could think of such a thing. You tell a lot of obvious things, but all these obvious things become only after we pay attention to them, and usually it happens when a criminal commits a crime.
Very often they ask me a question, and who among the employees should be responsible for such defects? And I really want to say that everyone is a little guilty. But when I look at these things not as an information security specialist, reading a bunch of news and articles, monitoring subject forums and delving into all fraudulent schemes, but as an ordinary person without all this information, I pull myself down and stop at the thought that only a person having all this selfish stuff in the head will be able to think about all these nuances in advance, and moreover, the complexity of the actions will depend only on his sophisticated imagination. :)
On it the first part I declare ended. If you like the approach in this article, I will continue to write. There are many examples that I scattered on various topics.
Carrying out orders for an audit, the goal is to set the analyst of maximum damage with minimal actions and knowledge of the attacker. As practice shows in the harsh conditions of software production, such nuances are thought out by project units.
One popular problem is password recovery and access to user accounts. Now probably there is no site where the password recovery function would be. I divided them into several types to consider each of them:
- Security Question - Answer
- Unique email link
- Sending a new / valid password by email
- SMS OTP (One-time password)
Of course, this is only part of a large iceberg. There are problems in other approaches, such as OAuth, but this has already been written a lot and there are still technical nuances, but I am more interested in business logic.
')
And so, consider the weaknesses of each of the points above.
Security Question - Answer
One of the serious omissions of this approach is often the inability to ask your question, as well as after entering the correct answer, issuing a form with entering a new password.
According to operational information, it was found out that this attack was carried out on WesternUnion company and gave reason to seriously think about the security of this function, as well as temporarily limit it. After analyzing the service, it was found that the choice for the user was given 3 options for questions: the name of the pet, hometown and mother's maiden name. Answers to these questions to get for dozens of users by means of social engineering was not difficult. The social networks facebook, twitter, lj and others came to the rescue.
In addition to social engineering, there was also a more technical possibility; it was possible to choose the variants with the answer to the hometown and the name of the pet using small dictionaries. This attack could be prevented by an additional field of captcha, which was subsequently done. Thus, due to the usual flaws in the password recovery functionality, attackers were able to access the WU transfer function with elevated limits from compromised user profiles. The database on which users were worked out (logins and emails) was obtained from another source, through the more banal sql-injection vulnerability, and the malicious code was also placed on the main page of the hacked site.
Findings:
- The ability to ask your security question - the answer, without restrictions
- To enter the correct answer limit on the number of attempts per unit of time, for example, 10 attempts per hour
Unique email link
An interesting story happened to one of the clients who asked for help. Mass complaints about password changes among users of one of the popular start-up exchange, NaPartner, began to be actively received. After analyzing all steps of password recovery, the only place where there could be a problem seemed to be a unique link having only 1 parameter with md5. Having banished this md5 code from the base, the result was obtained very quickly and it turned out to be a 4-digit numeric code of the form md5 (1234). A few minutes later, a ready-made tool for testing was received, which took the user's login, sent a password recovery request, and in a matter of seconds picked up this unique hash for a dozen threads, and then put the 12345 password through a unique link. The problem was solved with a more complicated source data for hashing. A similar problem was repeatedly observed in other clients.
Pay attention to a few things:
- A unique link must be one-time and become inactive after changing the password or authorizing a user.
- There should be a limit on the number of attempts to enter the code, 5 is enough
Sending a new / valid password by email
Perhaps this is the most common and having a more complex approach to gain access to a user account.
Here it is worth noting several recommendations:
- Never store the user's password in the open form and especially do not need to send it to email
- Never send a new / temporary password without first confirming the user to change it with a unique link.
- Never generate new / temporary simple and short passwords.
Unfortunately, the 2 and 3 points are often found together, which gives the attackers the following actions: requesting a password to recover, getting a new fixed password generated by the user of a fixed length of 5 characters or only digits of a fixed length. Further selection of this password.
BONUS: In one popular online game Stronghold Kingdoms there was only one sql-injection in the password recovery / login forms on the login field (also known as email) there was an ajax request checking the existence of this record in the database. Such a check is also very common on different sites and I would like to describe the possibilities of its operation even if there is no sqli. Usually, this is the receipt of a part of the user base: they take large databases of email addresses and run them on the site. And then use the found for the selection of login / password. This may seem very strange and unlikely to you, but if money or enthusiasm (or both) is at stake, then there is nothing improbable. It is also worth noting that when recovering a password, it happens when you are asked to enter a username, and then a message is sent to which email password was sent, which can also serve as an occasion to gain access to this mail. Be sure to hide part of the email asterisks.
SMS OTP (One-time password)
Since the previous item was a very boring and chewed KO, I suggest that the last item take a more interesting and equally common puzzle with time SMS codes, especially since this SMS code can not only be circumvented, but also get the site owner to fork out .
One of the orders for the audit was the Ukrainian company, its name remains a secret in connection with the NDA. This is a financial service that was fanatically tied to SMS OTP, almost for every action. I was pretty annoyed when testing, because I had to sit in an embrace with a mobile and enter these codes every time. But as it turned out later, after authorization it was possible to change the SMS password in the profile to a normal password. And here it seemed to me a great chance to take SMS OTP as the basis for gaining access to user accounts. The code coming in via sms was always 6 digits, and it’s impossible not to mention md5 (1234) which we considered above. Yes, I had the same logic. First of all, I checked the number of attempts to enter the code and they were unlimited, after it was a matter of time, writing a working prototype for selecting SMS OTP and sending a request to install 12345 in my password profile.
In this way, we managed to get access to the test user and make a withdrawal of funds from the balance from him.
I didn’t stop there, during testing I sent a lot of text messages to my phone and decided to calculate the costs:
1 sms = 0.30 cop * real cost of sms for this client
A script running in 10 threads sends at least 1 request per second, that is, 10 requests per second.
Total for 24 hours of the script, we can send 10 * 60 * 60 * 24 = 864 000 sms, which will cost the client 259,200 Russian rubles (> $ 8,000).
Conclusion: use the limitations of both sending SMS for one login, and the number of attempts to check OTP.
A separate item I want to mention sending any information on SMS without restrictions, for example SMS subscription to the newsletter, when you enter only the phone number. Or after registering SMS activation code.
For intruders, this is a gold mine, this functionality is used to flood phones, automate your requests and enter victim numbers, and then flood it with your text messages with a code or message about successful signing for the news.
On this about password recovery I would like to finish. The only thing I would like to add is that such a vulnerability, as the lack of complexity of passwords and hashes in huge numbers surrounds us. The last such example is CITILINK company where discount cards are issued only for buyers who have paid for the time from 5000r. The card itself is very useful and allows you to save. But technically the card is the usual 6-digit number + 4-digit activation code with unlimited attempts to select this code.
It is also worth noting the recent skype incident, when, in case of a password recovery error, it was possible to get access to someone else's account.
When you work in this direction and every time you study different scams, sometimes you just wonder how you could think of such a thing. You tell a lot of obvious things, but all these obvious things become only after we pay attention to them, and usually it happens when a criminal commits a crime.
Very often they ask me a question, and who among the employees should be responsible for such defects? And I really want to say that everyone is a little guilty. But when I look at these things not as an information security specialist, reading a bunch of news and articles, monitoring subject forums and delving into all fraudulent schemes, but as an ordinary person without all this information, I pull myself down and stop at the thought that only a person having all this selfish stuff in the head will be able to think about all these nuances in advance, and moreover, the complexity of the actions will depend only on his sophisticated imagination. :)
On it the first part I declare ended. If you like the approach in this article, I will continue to write. There are many examples that I scattered on various topics.
Source: https://habr.com/ru/post/167013/
All Articles