Password reset flaw allowed complete account takeover
A US internet giant is investigating a password reset flaw after a researcher discovered that user accounts could be completely compromised by bypassing two-step verification tools.
The vulnerability was discovered within Frontier online customer accounts.
A researcher was able to access the account and view or change details, and only needed the user name or email address to gain access.
The flaw lies in the fact that the access code field is not limited, allowing security researcher Ryan Stevenson – who discovered the bug – to enter multiple possibilities into a test account he created until he cracked it.
He used the automatic network intercept tool within Burp Suite, ZDNet reports, which allowed him to generate more than 100 codes in 10 seconds.
Stevenson was able to crack the code in just over a day.
Frontier confirmed that it was investigating the incident after Stevenson reported the flaw to the company.
A spokesperson said: “Out of an abundance of caution, while the matter is being investigated Frontier has shut down the functionality of changing a customer’s password via the web.”
Before a user or attacker can reset the password, however, they first have to complete a CAPTCHA form, meaning only targeted attacks would be successful.
But the disclosure of the bug continues to fan the flames of a long-running debate surrounding passwords.
Just last month, Microsoft revealed it was working to eradicate passwords as we know them.
In a blog post, the company said it is developing replacements to passwords by using authentication apps and other biometric technologies.
One reason why passwords are frowned upon is the lack of security practice by people.
Just yesterday, a survey of 500 US employees found that 25% of people used the same password for more than one account.
And 81% of respondents said they didn’t use a password to protect their phone or computer.