2 min read

This is how easily a hacker can reset your password and steal your account

Filip TRUȚĂ

June 27, 2017

This is how easily a hacker can reset your password and steal your account

Researchers at the IEEE Computer Society have shown how a man-in-the-middle (MITM) attack can be used to reset user passwords and subsequently steal a person”s account, be it their email, Twitter handle or Facebook profile.

Using a website rigged to offer a freebie, such as a cool app that would otherwise cost money, hackers can lure unwary users into answering security questions like “what is the name of your best friend?” and forward that information to their account”s password reset module on sites like Google, Facebook, Snapchat and others. The actual steps are:

  1. User accesses rigged website, which the attacker controls, to get a resource, e.g. free software
  2. Attacker asks the user to log in for free to access the resource
  3. Attacker gets the email address of the victim
  4. Attacker accesses the email service provider website and initiates a password reset process
  5. Attacker forwards every challenge he gets from the email service provider to the victim in the registration process, e.g security question, captha, etc.
  6. Every “solution” typed by the victim in what he/she believes is the registration process for the free download is then forwarded to the email service provider
  7. Cross-site attacker becomes a man-in-the-middle of a password reset process
  8. Account now compromised

A simple example of the password reset man-in-the-middle (PRMITM) attack, in its most basic form, illustrated below:

But hackers can take things further if, say, the password reset mechanism asks for SMS confirmation or a phone call handled by a robot. Because users typically don”t read the entire message, especially when they know to expect a confirmation code to arrive, they will just as naively hand over their information, as the researchers explain.

“Informative password-reset messages do not prevent exploitation of users, mainly because many users ignore the text and just copy the code. The PRMitM attack can be used to take over accounts of very popular websites (e.g., Facebook) given minimal information about the user (e.g., phone number only). This allows easy exploitation in additional scenarios (not [just] registration),” the researchers say.

After a few successful experiments, the researchers related their findings to companies running sites vulnerable to the hack, including Google and Facebook. While Snapchat, Yahoo!, Google, LinkedIn and Yandex followed through with the researchers” recommendations, Facebook only said thanks, adding that “they do not plan to apply fixes soon.”

As a general rule, you should download files from trusted sources and think twice before registering with a service you know nothing about. This PRMITM attack stands as evidence that even a strong password can be easily compromised by a motivated hacker.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read