[ISN] Forgotten password clues create hacker risk
isn at c4i.org
Tue Mar 21 04:11:02 EST 2006
By John Leyden
20th March 2006
Security flaws in the "forgotten password" feature of ecommerce
websites leave half the UK's online retailers open to attack,
according to security consultancy SecureTest.
It warns that the log-in process of many transactional websites can be
subverted by a "brute force" or enumeration attack. In a survey of 107
popular online retail websites in the UK, SecureTest found that 54 of
the sites (or 50.5 per cent) are potentially vulnerable to this type
of hack attack.
Differences in responses by applications when valid and invalid user
account names can give clues to hackers and form the basis of
enumeration attacks. If a valid user name (or registered email
address) is entered on a "forgotten password" page, a web application
might respond stating that a password will be sent to the user by
email. If an invalid user name is entered, the application could
respond with "invalid account name". Using this information, a script
can be written to try numerous account names, exploiting these
differences in response. While this is a time-consuming process it
does create a means to create a list of valid user names.
Armed with this list, a hacker might apply a similar brute force
attack to target the application and crack account passwords. Once
sets of user names and passwords are established a hacker would be
able to log into an account, make purchases or extract confidential
data, such as a user's postal addresses and credit card details.
"We test web applications daily and repeatedly find that enumeration
is possible. This problem is not limited to retail. Most websites with
a password reminder function are vulnerable to enumeration attacks,"
SecureTest managing director Ken Munro said. A self-confessed
ecommerce user, Munro said he looked into the issue after becoming
concerned about the way sites he used handled users with forgotten
passwords. Hack attacks targeting the forgotten passwords of ecommerce
websites are something neither Munro or ourselves can cite examples
of. However, Munro maintains that the risk is real and worth
considering, especially because defending against enumeration attacks
on passwords is a simple coding exercise.
Some etailers have implemented a "lock out" feature that restricts
access to accounts after a fixed number of failed password attempts.
SecureTest reckons this approach, while it might appear to be a good
idea, leaves open other forms of abuse such as a risk that the
attacker will bombard valid accounts with bad passwords, thus locking
out the retailers' customers. In effect this creates a Denial of
Service (DoS) attack with the application blocking bona fide users
through its own aggressive lock out policy.
SecureTest advises retailers to consult their application developer
about alternative countermeasures. The security consultancy has
developed a list of recommendations that can be taken to help prevent
brute force attacks against ecommerce sites:
* Instigate a 'time out' feature on the log-in form. This will slow
down a brute force attack to such an extent that it will render it
* Avoid applying a permanent lock-out on the log-in form: an attacker
could deliberately lock out valid users by trying bad passwords on
* Make sure the error message on the log-in form is generic; don't
distinguish between a valid/invalid username and valid/invalid
password. "Incorrect credentials entered" is a suitable response.
* Consider implementing a second authentication factor on the
forgotten password feature, e.g. a memorable date.
* Ensure you are logging HTTP POST requests from the log-in form and
forgotten password feature as this may not be enabled by default.
* Inspect logs to monitor attacks particular accounts and take
appropriate action if any such hacking attack is identified. ®
More information about the ISN