about inactive account hijacking

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: about inactive account hijacking
From: innate@xxxxxx
Date: 2 May 2009 09:05:55 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

INACTIVE ACCOUNT HIJACKING

author:         l0om
page:           l0om.org
date:           02.05.2009

OVERVIEW:

I would like to draw your attention on a problem that is already known and is 
surely exploited for a long time, but clearly seems to be underestimated.

the problem is explained quickly:
- email service provider delete inactive accounts after six or twelve months of 
inactivity and release the adresse (nearly every big email provider does it)
- many platforms (webshops, forums, etc...) do NOT delete inactive accounts

This asymmetry in handling inactive accounts has the consequence that thousands 
of accounts of various online platforms can be hijacked by attackers without 
any technical difficulties.

The procedure is so simple that it hardly needs to be mentioned:
- An attacker takes an old email address and try to register this email account 
at the email service provider.
- If it can be registered, it is assumed that the account has been released (or 
has never existed).
- Then the attacker tries at a variety of online platforms to create accounts 
for the just mentioned email address.

+ If the registration would be successful, there is no account for this email 
address at this online platform registered
+ If the registration fails, because it already have an account there, there 
has been found a registered account for this email address and now its getting 
ugly.
        
an attacker can hijack the account of the online platform if he simply register 
the email account and now uses the forgotten-the-password-function. the 
attacker gets a link which can be used to set a new password. Now he has the 
user data and the functions of the original owner in his control.

jeopardized are all possible online systems with such a 
forgotten-password-functional in use.

furthermore on holidays an attacker gets newsletter emails which lead the 
attacker to another accounts.

one interesting fact is that especailly very big platforms (webshops and forums 
which are kinda oldschool for the net) are vulnerable.

DEFENSE:

it is necessary to process as quick as possible the 
forgotten-the-password-function on large platforms. instead of just ask for the 
emailaddress to identify yourself you should be asked for eg. the last numbers 
of your banking account. this information shouldnt be found somewhere in the 
internet. this will make the efficient execution of the attack impossible.
furthermore newsletter scripts should check for delivery-faild messages caused 
by non existing accounts. such accounts can be locked and should be locked 
(maybe deleted).

GREETINGS:

John K., I², Molke, McFly, Takt, Proxy, johnny long, murfie, Maximilian, 
Theldens, Commander Jansen, detach, ole 
and last but not least Jquade

FLAMES:

salem, the knilch

Prev by Date: [TZO-18-2009] Mcafee multiple evasions/bypasses (RAR, ZIP)
Next by Date: [SECURITY] [DSA 1786-1] New acpid packages fix denial of service
Previous by thread: [TZO-18-2009] Mcafee multiple evasions/bypasses (RAR, ZIP)
Next by thread: [SECURITY] [DSA 1786-1] New acpid packages fix denial of service
Index(es):
- Date
- Thread