Feeds

Forgotten password clues create hacker risk

Crackers play battleships with user credentials

Using blade systems to cut costs and sharpen efficiencies

Security flaws in the "forgotten password" feature of ecommerce websites leave half the UK's online retailers open to attack, according to security consultancy SecureTest.

It warns that the log-in process of many transactional websites can be subverted by a "brute force" or enumeration attack. In a survey of 107 popular online retail websites in the UK, SecureTest found that 54 of the sites (or 50.5 per cent) are potentially vulnerable to this type of hack attack.

Differences in responses by applications when valid and invalid user account names can give clues to hackers and form the basis of enumeration attacks. If a valid user name (or registered email address) is entered on a "forgotten password" page, a web application might respond stating that a password will be sent to the user by email. If an invalid user name is entered, the application could respond with "invalid account name". Using this information, a script can be written to try numerous account names, exploiting these differences in response. While this is a time-consuming process it does create a means to create a list of valid user names.

Armed with this list, a hacker might apply a similar brute force attack to target the application and crack account passwords. Once sets of user names and passwords are established a hacker would be able to log into an account, make purchases or extract confidential data, such as a user's postal addresses and credit card details.

"We test web applications daily and repeatedly find that enumeration is possible. This problem is not limited to retail. Most websites with a password reminder function are vulnerable to enumeration attacks," SecureTest managing director Ken Munro said. A self-confessed ecommerce user, Munro said he looked into the issue after becoming concerned about the way sites he used handled users with forgotten passwords. Hack attacks targeting the forgotten passwords of ecommerce websites are something neither Munro or ourselves can cite examples of. However, Munro maintains that the risk is real and worth considering, especially because defending against enumeration attacks on passwords is a simple coding exercise.

Some etailers have implemented a "lock out" feature that restricts access to accounts after a fixed number of failed password attempts. SecureTest reckons this approach, while it might appear to be a good idea, leaves open other forms of abuse such as a risk that the attacker will bombard valid accounts with bad passwords, thus locking out the retailers' customers. In effect this creates a Denial of Service (DoS) attack with the application blocking bona fide users through its own aggressive lock out policy.

SecureTest advises retailers to consult their application developer about alternative countermeasures. The security consultancy has developed a list of recommendations that can be taken to help prevent brute force attacks against ecommerce sites:

  • Instigate a 'time out' feature on the log-in form. This will slow down a brute force attack to such an extent that it will render it ineffective.
  • Avoid applying a permanent lock-out on the log-in form: an attacker could deliberately lock out valid users by trying bad passwords on their accounts.
  • Make sure the error message on the log-in form is generic; don’t distinguish between a valid/invalid username and valid/invalid password. "Incorrect credentials entered’ is a suitable response.
  • Consider implementing a second authentication factor on the forgotten password feature, e.g. a memorable date.
  • Ensure you are logging HTTP POST requests from the log-in form and forgotten password feature as this may not be enabled by default.
  • Inspect logs to monitor attacks particular accounts and take appropriate action if any such hacking attack is identified.

®

The smart choice: opportunity from uncertainty

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.