Researchers at the IEEE Computer Society have shown how a man-in-the-middle (MITM) attack can be used to reset user passwords and subsequently steal a person’s account, be it their email, Twitter handle or Facebook profile.
Using a website rigged to offer a freebie, such as a cool app that would otherwise cost money, hackers can lure unwary users into answering security questions like “what is the name of your best friend?” and forward that information to their account’s password reset module on sites like Google, Facebook, Snapchat and others. The actual steps are:
- User accesses rigged website, which the attacker controls, to get a resource, e.g. free software
- Attacker asks the user to log in for free to access the resource
- Attacker gets the email address of the victim
- Attacker accesses the email service provider website and initiates a password reset process
- Attacker forwards every challenge he gets from the email service provider to the victim in the registration process, e.g security question, captha, etc.
- Every ”solution” typed by the victim in what he/she believes is the registration process for the free download is then forwarded to the email service provider
- Cross-site attacker becomes a man-in-the-middle of a password reset process
- Account now compromised
A simple example of the password reset man-in-the-middle (PRMITM) attack, in its most basic form, illustrated below:
But hackers can take things further if, say, the password reset mechanism asks for SMS confirmation or a phone call handled by a robot. Because users typically don’t read the entire message, especially when they know to expect a confirmation code to arrive, they will just as naively hand over their information, as the researchers explain.
“Informative password-reset messages do not prevent exploitation of users, mainly because many users ignore the text and just copy the code. The PRMitM attack can be used to take over accounts of very popular websites (e.g., Facebook) given minimal information about the user (e.g., phone number only). This allows easy exploitation in additional scenarios (not [just] registration),” the researchers say.
After a few successful experiments, the researchers related their findings to companies running sites vulnerable to the hack, including Google and Facebook. While Snapchat, Yahoo!, Google, LinkedIn and Yandex followed through with the researchers’ recommendations, Facebook only said thanks, adding that “they do not plan to apply fixes soon.”
As a general rule, you should download files from trusted sources and think twice before registering with a service you know nothing about. This PRMITM attack stands as evidence that even a strong password can be easily compromised by a motivated hacker.