Researchers at the IEEE Computer Society have shown how a man-in-the-middle (MITM) attack can be used to reset user passwords and subsequently steal a person’s account, be it their email, Twitter handle or Facebook profile.
Using a website rigged to offer a freebie, such as a cool app that would otherwise cost money, hackers can lure unwary users into answering security questions like “what is the name of your best friend?” and forward that information to their account’s password reset module on sites like Google, Facebook, Snapchat and others. The actual steps are:
- User accesses rigged website, which the attacker controls, to get a resource, e.g. free software
- Attacker asks the user to log in for free to access the resource
- Attacker gets the email address of the victim
- Attacker accesses the email service provider website and initiates a password reset process
- Attacker forwards every challenge he gets from the email service provider to the victim in the registration process, e.g security question, captha, etc.
- Every ”solution” typed by the victim in what he/she believes is the registration process for the free download is then forwarded to the email service provider
- Cross-site attacker becomes a man-in-the-middle of a password reset process
- Account now compromised
A simple example of the password reset man-in-the-middle (PRMITM) attack, in its most basic form, illustrated below:
But hackers can take things further if, say, the password reset mechanism asks for SMS confirmation or a phone call handled by a robot. Because users typically don’t read the entire message, especially when they know to expect a confirmation code to arrive, they will just as naively hand over their information, as the researchers explain.
“Informative password-reset messages do not prevent exploitation of users, mainly because many users ignore the text and just copy the code. The PRMitM attack can be used to take over accounts of very popular websites (e.g., Facebook) given minimal information about the user (e.g., phone number only). This allows easy exploitation in additional scenarios (not [just] registration),” the researchers say.
After a few successful experiments, the researchers related their findings to companies running sites vulnerable to the hack, including Google and Facebook. While Snapchat, Yahoo!, Google, LinkedIn and Yandex followed through with the researchers’ recommendations, Facebook only said thanks, adding that “they do not plan to apply fixes soon.”
As a general rule, you should download files from trusted sources and think twice before registering with a service you know nothing about. This PRMITM attack stands as evidence that even a strong password can be easily compromised by a motivated hacker.
Happy I got à membership with thé 'Geek Squad' and "Bitdefender", I have been hacker à fée times. Luckily thé "Hackers" never got anything. Keep up the good work.
Your point is well taken about the threats of registered accounts and their passwords. One area where that's a risk is the increasing proportion of smartphone apps which ask for registration (a 'premium' account) or even require it for the app to work at all, and the corresponding increasing # of apps which collect personal data without permission, leak it from our phones unnecessarily (for the primary functionality it provides users) and which are shown to be fronts for malicious activity. Some of these account collecting apps work across platforms, increasing the threats. Not only does setting up or having accounts bring risks discussed in the article, the actual bargain posed the user/customer is 'either you totally submit to our efforts to extract as much info from you as we can (and no transparency beyond glib TOS promises), or you can't use our service/app' for which there is no middle ground alternative or which respects the customer's best interests – all hidden in the fine print rarely read. Notably, the hacking and privacy threats of companies possessing customer email info has reached the point in Germany that there's a move to eliminate such customer lists. Hooray, if that's what it takes! I don't want to have to submit to an account's one-sided company rules or lifelong serfdom as a software/service renter in order to use the internet or my computer. If the alternative is to simply sell me the product and an update agreement, great, we should all have that option.