Name Password Recovery Exploitation
Summary An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.
Prerequisites The system allows users to recover their passwords and gain access back into the system. Password recovery mechanism has been designed or implemented insecurely. Password recovery mechanism relies only on something the user knows and not something the user has. No third party intervention is required to use the password recovery mechanism.
Solutions Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic. E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online. Ensure that your password recovery functionality is not vulnerable to an injection style attack.
Related Weaknesses
CWE ID Description
CWE-522 Insufficiently Protected Credentials
CWE-640 Weak Password Recovery Mechanism for Forgotten Password
CWE-718 OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management
Back to Top