|
INACTIVE ACCOUNT HIJACKING
author: l0om
page: l0om.org
date: 02.05.2009
OVERVIEW:
I would like to draw your attention on a problem that is already known and is surely exploited for a long time, but clearly seems to be underestimated.
the problem is explained quickly:
- email service provider delete inactive accounts after six or twelve months of inactivity and release the adresse (nearly every big email provider does it)
- many platforms (webshops, forums, etc...) do NOT delete inactive accounts
This asymmetry in handling inactive accounts has the consequence that thousands of accounts of various online platforms can be hijacked by attackers without any technical difficulties.
The procedure is so simple that it hardly needs to be mentioned:
- An attacker takes an old email address and try to register this email account at the email service provider.
- If it can be registered, it is assumed that the account has been released (or has never existed).
- Then the attacker tries at a variety of online platforms to create accounts for the just mentioned email address.
+ If the registration would be successful, there is no account for this email address at this online platform registered
+ If the registration fails, because it already have an account there, there has been found a registered account for this email address and now its getting ugly.
an attacker can hijack the account of the online platform if he simply register the email account and now uses the forgotten-the-password-function. the attacker gets a link which can be used to set a new password. Now he has the user data and the functions of the original owner in his control.
jeopardized are all possible online systems with such a forgotten-password-functional in use.
furthermore on holidays an attacker gets newsletter emails which lead the attacker to another accounts.
one interesting fact is that especailly very big platforms (webshops and forums which are kinda oldschool for the net) are vulnerable.
DEFENSE:
it is necessary to process as quick as possible the forgotten-the-password-function on large platforms. instead of just ask for the emailaddress to identify yourself you should be asked for eg. the last numbers of your banking account. this information shouldnt be found somewhere in the internet. this will make the efficient execution of the attack impossible.
furthermore newsletter scripts should check for delivery-faild messages caused by non existing accounts. such accounts can be locked and should be locked (maybe deleted).
GREETINGS:
John K., I=B2, Molke, McFly, Takt, Proxy, johnny long, murfie, Maximilian, Theldens, Commander Jansen, detach, ole
and last but not least Jquade
FLAMES:
salem, the knilch