The password reset functionality of any online service is a major source of risk. They are especially problematic when they use only a “secret question” concerning personal information only and don’t tie back to another email account or a text message. Another account or cell phone number is something “out of band” from a direct transaction with the online service. It becomes 2-factor authentication.
When an alternate email account or cell phone number is not tied to an account, online services often use personal information, supposedly only known by the account holder, to verify identity and reset a password. The risk here is the personal information is often known to other individuals and if the account holder is a public figure then the information may be easily researched. Birthdays, names of pets, locations of homes, schools, and events can often be discovered online or guessed.
Paris Hilton’s T-Mobile account, and thus all her Sidekick cell phone contents which were mirrored online, was compromised when someone “guessed” the answer to her secret question. The secret questions was, “What is your pet’s name.” The answer of course was, “Tinkerbell”. Something easily researched. Many people would not have their pets name online but friends, family memebers, or perhaps an ex would know the answer. Using a pet’s name is a very bad security practice.
Now we have Sarah Palin, another public figure, having her online account compromised because someone used the password reset functionality and guessed the answer to Sarah Palin’s secret question. This is how the attacker says he found out her personal information and guessed the answer to her secret question. He detials this on 4chan.org
rubico 09/17/08(Wed)12:57:22 No.85782652
Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.
In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.
after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)
the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.
I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…
Best practices for setting up the password reset functionality of any online service:
- Tie an account to another email account or cell phone number if that is an option. This will cause the service to send an out of band message and in essence make the password reset a 2-factor authentication.
- Do not use any personal information that can be guessed as the answers to secret questions. Treat these answers like passwords. Don’t use dictionary words. Add some numbers or symbols to the answer. For example is Sarah Palin had used “Wasilla high 1964″ or “!Wasilla high!” it is far less likely it would be guessed. Pick a scheme to modify your secret answers so they aren’t guessable.
- Try resetting your password. See if there are downgrade attacks which make it easier to reset the password. Yahoo for instance will allow you to specify that you don’t have access to the email address tied to your account and thus not send a password reset email. Since an attacker can do this the safety of using another account is eliminated thus making the answers to the secret question all that more important.
Update 9/18/2008 2:44pm EST:
Google has a much more secure password reset function. The following is from the Google password reset page:
To initiate the password reset process, please follow the instructions sent to your secondary email address.
If you don’t have a secondary email address, or if you no longer have access to that account, please try the ‘Forgot your password?’ link again after five days. At that point, you’ll be able to reset your password by answering the security question you provided when you created your account.
To prevent someone from trying to break into an account you’re actively using, the security question is only used for account recovery after an account has been idle for five days. The Gmail team cannot waive the five day requirement or access your password under any circumstances.
If you’re unable to answer your security question or access your secondary email account, we regret that the Gmail team cannot provide further assistance. If you’re concerned about the security of your account, please visit our Security Center.
This makes it quite difficult to change the password if you are not the account owner even if you know the answer to the secret question. Nice going Google!
Veracode Security Solutions
Penetration Testing Tool
Static Code Analysis
Web Application Testing
Software Testing Tools
Source Code Security Analyzer
Software Code Security
Application Testing Tool
Source Code Analysis
Code Review Tools
Veracode Security Threat Guides
Cross Site Scripting Vulnerabilities
Mobile Code Security
Written by: Chris Wysopal