2 min read

This is how easily a hacker can reset your password and steal your account

Filip TRUȚĂ

June 27, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
This is how easily a hacker can reset your password and steal your account

Researchers at the IEEE Computer Society have shown how a man-in-the-middle (MITM) attack can be used to reset user passwords and subsequently steal a person”s account, be it their email, Twitter handle or Facebook profile.

Using a website rigged to offer a freebie, such as a cool app that would otherwise cost money, hackers can lure unwary users into answering security questions like “what is the name of your best friend?” and forward that information to their account”s password reset module on sites like Google, Facebook, Snapchat and others. The actual steps are:

  1. User accesses rigged website, which the attacker controls, to get a resource, e.g. free software
  2. Attacker asks the user to log in for free to access the resource
  3. Attacker gets the email address of the victim
  4. Attacker accesses the email service provider website and initiates a password reset process
  5. Attacker forwards every challenge he gets from the email service provider to the victim in the registration process, e.g security question, captha, etc.
  6. Every “solution” typed by the victim in what he/she believes is the registration process for the free download is then forwarded to the email service provider
  7. Cross-site attacker becomes a man-in-the-middle of a password reset process
  8. Account now compromised

A simple example of the password reset man-in-the-middle (PRMITM) attack, in its most basic form, illustrated below:

But hackers can take things further if, say, the password reset mechanism asks for SMS confirmation or a phone call handled by a robot. Because users typically don”t read the entire message, especially when they know to expect a confirmation code to arrive, they will just as naively hand over their information, as the researchers explain.

“Informative password-reset messages do not prevent exploitation of users, mainly because many users ignore the text and just copy the code. The PRMitM attack can be used to take over accounts of very popular websites (e.g., Facebook) given minimal information about the user (e.g., phone number only). This allows easy exploitation in additional scenarios (not [just] registration),” the researchers say.

After a few successful experiments, the researchers related their findings to companies running sites vulnerable to the hack, including Google and Facebook. While Snapchat, Yahoo!, Google, LinkedIn and Yandex followed through with the researchers” recommendations, Facebook only said thanks, adding that “they do not plan to apply fixes soon.”

As a general rule, you should download files from trusted sources and think twice before registering with a service you know nothing about. This PRMITM attack stands as evidence that even a strong password can be easily compromised by a motivated hacker.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Apple Users Report Seeing Other People's Photos When Using iCloud for Windows Apple Users Report Seeing Other People's Photos When Using iCloud for Windows
Silviu STAHIE

November 25, 2022

1 min read
Hive ransomware has extorted $100 million in 18 months, FBI warns Hive ransomware has extorted $100 million in 18 months, FBI warns
Graham CLULEY

November 23, 2022

2 min read
Some DraftKings Accounts Compromised in Credential Stuffing Attack; Company Promises to Return Lost Funds Some DraftKings Accounts Compromised in Credential Stuffing Attack; Company Promises to Return Lost Funds
Silviu STAHIE

November 22, 2022

1 min read