Feeds

Forgotten password clues create hacker risk

Crackers play battleships with user credentials

The Power of One eBook: Top reasons to choose HP BladeSystem

Security flaws in the "forgotten password" feature of ecommerce websites leave half the UK's online retailers open to attack, according to security consultancy SecureTest.

It warns that the log-in process of many transactional websites can be subverted by a "brute force" or enumeration attack. In a survey of 107 popular online retail websites in the UK, SecureTest found that 54 of the sites (or 50.5 per cent) are potentially vulnerable to this type of hack attack.

Differences in responses by applications when valid and invalid user account names can give clues to hackers and form the basis of enumeration attacks. If a valid user name (or registered email address) is entered on a "forgotten password" page, a web application might respond stating that a password will be sent to the user by email. If an invalid user name is entered, the application could respond with "invalid account name". Using this information, a script can be written to try numerous account names, exploiting these differences in response. While this is a time-consuming process it does create a means to create a list of valid user names.

Armed with this list, a hacker might apply a similar brute force attack to target the application and crack account passwords. Once sets of user names and passwords are established a hacker would be able to log into an account, make purchases or extract confidential data, such as a user's postal addresses and credit card details.

"We test web applications daily and repeatedly find that enumeration is possible. This problem is not limited to retail. Most websites with a password reminder function are vulnerable to enumeration attacks," SecureTest managing director Ken Munro said. A self-confessed ecommerce user, Munro said he looked into the issue after becoming concerned about the way sites he used handled users with forgotten passwords. Hack attacks targeting the forgotten passwords of ecommerce websites are something neither Munro or ourselves can cite examples of. However, Munro maintains that the risk is real and worth considering, especially because defending against enumeration attacks on passwords is a simple coding exercise.

Some etailers have implemented a "lock out" feature that restricts access to accounts after a fixed number of failed password attempts. SecureTest reckons this approach, while it might appear to be a good idea, leaves open other forms of abuse such as a risk that the attacker will bombard valid accounts with bad passwords, thus locking out the retailers' customers. In effect this creates a Denial of Service (DoS) attack with the application blocking bona fide users through its own aggressive lock out policy.

SecureTest advises retailers to consult their application developer about alternative countermeasures. The security consultancy has developed a list of recommendations that can be taken to help prevent brute force attacks against ecommerce sites:

  • Instigate a 'time out' feature on the log-in form. This will slow down a brute force attack to such an extent that it will render it ineffective.
  • Avoid applying a permanent lock-out on the log-in form: an attacker could deliberately lock out valid users by trying bad passwords on their accounts.
  • Make sure the error message on the log-in form is generic; don’t distinguish between a valid/invalid username and valid/invalid password. "Incorrect credentials entered’ is a suitable response.
  • Consider implementing a second authentication factor on the forgotten password feature, e.g. a memorable date.
  • Ensure you are logging HTTP POST requests from the log-in form and forgotten password feature as this may not be enabled by default.
  • Inspect logs to monitor attacks particular accounts and take appropriate action if any such hacking attack is identified.

®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.