Feeds

Forgotten password clues create hacker risk

Crackers play battleships with user credentials

Top 5 reasons to deploy VMware with Tegile

Security flaws in the "forgotten password" feature of ecommerce websites leave half the UK's online retailers open to attack, according to security consultancy SecureTest.

It warns that the log-in process of many transactional websites can be subverted by a "brute force" or enumeration attack. In a survey of 107 popular online retail websites in the UK, SecureTest found that 54 of the sites (or 50.5 per cent) are potentially vulnerable to this type of hack attack.

Differences in responses by applications when valid and invalid user account names can give clues to hackers and form the basis of enumeration attacks. If a valid user name (or registered email address) is entered on a "forgotten password" page, a web application might respond stating that a password will be sent to the user by email. If an invalid user name is entered, the application could respond with "invalid account name". Using this information, a script can be written to try numerous account names, exploiting these differences in response. While this is a time-consuming process it does create a means to create a list of valid user names.

Armed with this list, a hacker might apply a similar brute force attack to target the application and crack account passwords. Once sets of user names and passwords are established a hacker would be able to log into an account, make purchases or extract confidential data, such as a user's postal addresses and credit card details.

"We test web applications daily and repeatedly find that enumeration is possible. This problem is not limited to retail. Most websites with a password reminder function are vulnerable to enumeration attacks," SecureTest managing director Ken Munro said. A self-confessed ecommerce user, Munro said he looked into the issue after becoming concerned about the way sites he used handled users with forgotten passwords. Hack attacks targeting the forgotten passwords of ecommerce websites are something neither Munro or ourselves can cite examples of. However, Munro maintains that the risk is real and worth considering, especially because defending against enumeration attacks on passwords is a simple coding exercise.

Some etailers have implemented a "lock out" feature that restricts access to accounts after a fixed number of failed password attempts. SecureTest reckons this approach, while it might appear to be a good idea, leaves open other forms of abuse such as a risk that the attacker will bombard valid accounts with bad passwords, thus locking out the retailers' customers. In effect this creates a Denial of Service (DoS) attack with the application blocking bona fide users through its own aggressive lock out policy.

SecureTest advises retailers to consult their application developer about alternative countermeasures. The security consultancy has developed a list of recommendations that can be taken to help prevent brute force attacks against ecommerce sites:

  • Instigate a 'time out' feature on the log-in form. This will slow down a brute force attack to such an extent that it will render it ineffective.
  • Avoid applying a permanent lock-out on the log-in form: an attacker could deliberately lock out valid users by trying bad passwords on their accounts.
  • Make sure the error message on the log-in form is generic; don’t distinguish between a valid/invalid username and valid/invalid password. "Incorrect credentials entered’ is a suitable response.
  • Consider implementing a second authentication factor on the forgotten password feature, e.g. a memorable date.
  • Ensure you are logging HTTP POST requests from the log-in form and forgotten password feature as this may not be enabled by default.
  • Inspect logs to monitor attacks particular accounts and take appropriate action if any such hacking attack is identified.

®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.