HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
Filip TRUTA @FilipTrout
2 Comments
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt
Industry News

This is how easily a hacker can reset your password and steal your account

June 27, 2017
3 Min Read

Researchers at the IEEE Computer Society have shown how a man-in-the-middle (MITM) attack can be used to reset user passwords and subsequently steal a person’s account, be it their email, Twitter handle or Facebook profile.

Using a website rigged to offer a freebie, such as a cool app that would otherwise cost money, hackers can lure unwary users into answering security questions like “what is the name of your best friend?” and forward that information to their account’s password reset module on sites like Google, Facebook, Snapchat and others. The actual steps are:

  1. User accesses rigged website, which the attacker controls, to get a resource, e.g. free software
  2. Attacker asks the user to log in for free to access the resource
  3. Attacker gets the email address of the victim
  4. Attacker accesses the email service provider website and initiates a password reset process
  5. Attacker forwards every challenge he gets from the email service provider to the victim in the registration process, e.g security question, captha, etc.
  6. Every ”solution” typed by the victim in what he/she believes is the registration process for the free download is then forwarded to the email service provider
  7. Cross-site attacker becomes a man-in-the-middle of a password reset process
  8. Account now compromised

A simple example of the password reset man-in-the-middle (PRMITM) attack, in its most basic form, illustrated below:

But hackers can take things further if, say, the password reset mechanism asks for SMS confirmation or a phone call handled by a robot. Because users typically don’t read the entire message, especially when they know to expect a confirmation code to arrive, they will just as naively hand over their information, as the researchers explain.

“Informative password-reset messages do not prevent exploitation of users, mainly because many users ignore the text and just copy the code. The PRMitM attack can be used to take over accounts of very popular websites (e.g., Facebook) given minimal information about the user (e.g., phone number only). This allows easy exploitation in additional scenarios (not [just] registration),” the researchers say.

After a few successful experiments, the researchers related their findings to companies running sites vulnerable to the hack, including Google and Facebook. While Snapchat, Yahoo!, Google, LinkedIn and Yandex followed through with the researchers’ recommendations, Facebook only said thanks, adding that “they do not plan to apply fixes soon.”

As a general rule, you should download files from trusted sources and think twice before registering with a service you know nothing about. This PRMITM attack stands as evidence that even a strong password can be easily compromised by a motivated hacker.

Tagsemail account hacked email hack man-in-the-middle mitm password password breach password leak password reset PRMITM slider

You may also like

Industry News

Cybercriminals Use Vishing to Steal Remote Employee Credentials, the FBI Warns

15 hours ago
Scottish environmental agency still struggling after Christmas Eve ransomware attack
Industry News

Scottish environmental agency still struggling after Christmas Eve ransomware attack

20 hours ago
Industry News

Organizations Should Establish ‘Blame-Free Employee Reporting’ of Suspicious Activity, CISA Says

2 days ago

About the author

View All Posts

Filip TRUTA

Filip is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware and cyber-security, and has worked in various B2B and B2C marketing roles. Filip currently serves as Information Security Analyst with Bitdefender.

2 Comments

Click here to post a comment
  • James Beattie says:
    June 29, 2017 at 3:32 am

    Happy I got à membership with thé 'Geek Squad' and "Bitdefender", I have been hacker à fée times. Luckily thé "Hackers" never got anything. Keep up the good work.

  • DaB says:
    July 2, 2017 at 12:19 am

    Your point is well taken about the threats of registered accounts and their passwords. One area where that's a risk is the increasing proportion of smartphone apps which ask for registration (a 'premium' account) or even require it for the app to work at all, and the corresponding increasing # of apps which collect personal data without permission, leak it from our phones unnecessarily (for the primary functionality it provides users) and which are shown to be fronts for malicious activity. Some of these account collecting apps work across platforms, increasing the threats. Not only does setting up or having accounts bring risks discussed in the article, the actual bargain posed the user/customer is 'either you totally submit to our efforts to extract as much info from you as we can (and no transparency beyond glib TOS promises), or you can't use our service/app' for which there is no middle ground alternative or which respects the customer's best interests – all hidden in the fine print rarely read. Notably, the hacking and privacy threats of companies possessing customer email info has reached the point in Germany that there's a move to eliminate such customer lists. Hooray, if that's what it takes! I don't want to have to submit to an account's one-sided company rules or lifelong serfdom as a software/service renter in order to use the internet or my computer. If the alternative is to simply sell me the product and an update agreement, great, we should all have that option.

Year-old vulnerability allowed pro-ISIS hackers to hack US Government websites
ISIS cyberterrorists go after US government websites
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt

Promo

1.3m
Fans
Like
104.9k
Followers
Follow
2.7k
Subscribers
Subscribe
19
Subscribers
subscribe
1.4m
Fans Love us

Recent shouts

  • Meurig Parri on Microsoft Ends Support for Windows 7. What You Need to Know
  • Kevin on Cable Haunt vulnerability affects millions of Broadcom cable modems
  • Terry on Ransomware attack forces Arkansas CEO to fire 300 employees days before Christmas
  • Martin on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre
  • Xander on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre

Time Machine

January 2021
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031
« Dec    

ANTIVIRUS SOFTWARE FOR HOME USERS

Bitdefender Cybersecurity for Smart Home
Bitdefender Complete Protection
Bitdefender PC Protection
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Product Comparison

BUSINESS SOLUTIONS

Bitdefender GravityZone Business Security
Bitdefender GravityZone Advanced Business Security
Bitdefender GravityZone Enterprise Security
Bitdefender Hypervisor Introspection

TOOLS & RESOURCES

Renewal for Business Customers
Trial Downloads
Free Antivirus
Free Online Virus Scanner
Free Virus Removal Tools
Live Remote Assistance
Free Tools
Bug Bounty
Press Center

Powered by Bitdefender - a leading cyber security technology provider | Copyright © 2008 - 2016. All rights reserved.
  • Home
  • The Team
  • Terms and Conditions
  • Contact
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok