CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.
Last updated
Overview
Most of them use only one security question. For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user. These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name. A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
Understand the password recovery mechanism and how it works.
- Step 2Exploit
Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer.
What the attacker needs
Prerequisites
- The system allows users to recover their passwords and gain access back into the system.
- Password recovery mechanism has been designed or implemented insecurely.
- Password recovery mechanism relies only on something the user knows and not something the user has.
- No third party intervention is required to use the password recovery mechanism.
Skills required
- Low skill: Brute force attack
- Medium skill: Social engineering and more sophisticated technical attacks.
Resources required
- For a brute force attack one would need a machine with sufficient CPU, RAM and HD.
Consequences
What a successful CAPEC-50 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
How to mitigate it
Defenses that reduce the risk of CAPEC-50.
- Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.
- E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.
- Ensure that your password recovery functionality is not vulnerable to an injection style attack.
How to detect it
Indicators that this attack may be underway.
- Many incorrect attempts to answer the security question.
Examples
An attacker clicks on the "forgot password" and is presented with a single security question. The question is regarding the name of the first dog of the user. The system does not limit the number of attempts to provide the dog's name. An attacker goes through a list of 100 most popular dog names and finds the right name, thus getting the ability to reset the password and access the system.
phpBanner Exchange is a PHP script (using the mySQL database) that facilitates the running of a banner exchange without extensive knowledge of PHP or mySQL. A SQL injection was discovered in the password recovery module of the system that allows recovering an arbitrary user's password and taking over their account. The problem is due to faulty input sanitization in the phpBannerExchange, specifically the e-mail address of the user which is requested by the password recovery module. The e-mail address requested by the password recovery module on the resetpw.php page. That e-mail address is validated with the following regular expression: if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)* (\.[a-z]{2,3})$", $email)){ A bug in the implementation of eregi() allows to pass additional character using a null byte "\0". Since eregi() is implemented in C, the variable $email is treated as a zero-terminated string. All characters following the Null Byte will not be recognized by the regular expression. So an e-mail address can be provided that includes the special character " ' " to break the SQL query below (and it will not be rejected by the regular expression because of the null byte trick). So a SQL injection becomes possible: $get_info=mysql_query("select * from banneruser where email='$email' "); This query will return a non-zero result set even though the email supplied (attacker's email) is not in the database. Then a new password for the user is generated and sent to the $email address, an e-mail address controlled by the attacker. An attacker can then log in into the system. See also: CVE-2006-3013
Frequently asked questions
Common questions about CAPEC-50.
- What is CAPEC-50?
- An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.
- How does a Password Recovery Exploitation attack work?
- It typically unfolds over 2 phases. It begins with: Understand the password recovery mechanism and how it works.
- How do you prevent CAPEC-50?
- Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.
- What weaknesses does CAPEC-50 target?
- CAPEC-50 exploits 2 CWE weaknesses, including CWE-522 (Insufficiently Protected Credentials), CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).
- How severe is CAPEC-50?
- MITRE rates CAPEC-50 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-50
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.