Common Flaws in Forgot Password Implementation

balaji
By balaji

December 21, 2010

As awareness about information security is increasing, application owners are taking measures to safeguard their applications. But even with a single vulnerability present, an attacker might be able to gain control of the application. A lot of attention is given to securing the authentication mechanism for an application as post-login data is deemed confidential and important. However, sometimes a seemingly harmless feature on a public page might render all the prevention and security mechanisms useless. The 'Forgot Password' feature is one such feature, which can be misused to compromise user accounts.

forgot-pwd-flaws.jpg

As awareness about information security is increasing, application owners are taking measures to safeguard their applications. But even with a single vulnerability present, an attacker might be able to gain control of the application. A lot of attention is given to securing the authentication mechanism for an application as post-login data is deemed confidential and important. However, sometimes a seemingly harmless feature on a public page might render all the prevention and security mechanisms useless. The 'Forgot Password' feature is one such feature, which can be misused to compromise user accounts.

The Forgot Password feature allows users, who have forgotten their password, to get a new password. However, this feature can also be misused by attackers to reset/change the password of an existing user and thus cause Denial-of-Service (DoS) for the valid user or steal his/her identity.

In this article, we will take a look at some of the common flaws observed in the implementation of this feature as well as the exploits that can take place because of the presence of these flaws.

1. CAPTCHAs not being used

This is one of the most common flaws observed in the implementation of the Forgot Password feature. A CAPTCHA is used to stop automated requests generated with the help of bots. In the absence of a CAPTCHA on the Forgot Password page, an attacker would be able to initiate a lot of password reset requests with the help of bots thus performing DoS.

2. Easy-to-answer hint/security questions

Many implementations of the Forgot Password feature allow the user to set one or more questions that are used when a password reset request is initiated. A common flaw is to allow very simple questions to be set. An attacker might easily guess the answers to these questions or might be able to get the answers using social engineering and thus reset the password of a valid user.

Some examples of bad questions are:

  • What is your favorite color?
  • What is the color of your eyes?
  • What is your favorite sport?

3. Sending the new password as cleartext to a registered e-mail address

A lot of Forgot Password implementations reset the password and send the new password to a user via e-mail. The potential problem in using this approach is that an attacker might be able to sniff the password if the e-mail service is not using SSL.

4. Sending a password reset link to an e-mail ID

In this case, the problem is not so much in sending the link as in the attributes defined for the password reset link. If the link maps to the user with the help of a username or a similar parameter, then an attacker can manipulate this parameter and reset the password to that of someone else. Also, if the link is reusable, then an attacker might reuse the same link to reset the password of a valid user.

5. Allowing the user to set a new password and confirming the same via e-mail

One implementation of the Forgot Password feature, that we have come across, consists of allowing a user to provide his/her e-mail address and new password. An e-mail is sent to the user with a link that is used to confirm the new password. This approach is very user friendly and fairly secure but there is still a possibility that an attacker might be able to misuse this feature to reset the password by providing a new password. An attacker can visit the Forgot Password page and initiate a password reset request by entering the e-mail ID and new password. A confirmation link would be sent to the user. If, by any chance, the user clicks on this link then his/her password would get reset to the one that was provided by the attacker.

6. Old password is invalidated as soon as the Forgot Password process is initiated

This flaw is one of the easiest to exploit. All an attacker has to do is initiate the Forgot Password feature for a valid user by providing a username or e-mail (whichever is being used) and the valid user's old password would be invalidated. Even if the attacker is not able to obtain the new password, he has succeeded in performing DoS for the valid user. A user would have to go through the entire process of resetting his/her password to access the account successfully again.

These are some common flaws observed in implementations that we have come across. These flaws are not limited to any one kind of implementation but are generic in nature and are reflected in various approaches that are used for implementing the Forgot Password feature. The implementation of the feature depends on the application in question but in general, we must take care that the Forgot Password feature in our application does not have these flaws. At the same time, maintaining a healthy balance of Security vs. User-friendliness is also a major challenge while implementing this feature. Next time, we will take a look at some of the ways in which the Forgot Password feature can be securely implemented along with being as user-friendly as possible.


Tags: Best Practices

About

balaji