The Password Reset MitM Attack and DigiNotar CA Hack: Implications and Proposed Solutions
Added on 2023-06-11
12 Pages5138 Words367 Views
|
|
|
The Password Reset MitM Attack
Attacks
Websites are exposed to the dangers of attacks from the attackers who invade the
privacy of the users who are not suspicious about it. As explained in the paper on “The
Password Reset MitM Attack”, as the name suggests, the password reset MitM attack is one
of the attacks exploited by the attackers over the websites. The attack is quite easy to
implement, however, that’s not an indication that, the attack itself is not hazardous. In this
attack, the user is enticed in signing up for an account in order to get or subscribe to a certain
service that is being controlled by the attacker (such as, the attacker can display a download
that is free which can be used to entice the user), whereby, as the user keys in values for
signing up, the attacker manipulates the flow of the registration in a manner which enables the
attacker to reset the password for the account of the user in other accounts of the user. A
target that can be easily exploited by the attacker is the email account of the user. Through the
details obtained, the attacker is able to take control of the accounts of the user in other
websites.
Other attacks that the account of the user is vulnerable to are the cross-site attacks
which include the cross-site scripting, cross-site script inclusion, clickjacking and cross-site
request forgery. These kinds of attacks are only possible as a result the vulnerability of the
website. Clickjacking for example, the page that has been click jacked tricks the victim into
carrying out unintended actions through clicking a link that has been concealed. The attacker
then loads a similar page over the actual page in a layer that is transparent on the page that has
been click jacked. The user then carries out actions on the page that is invisible unknowingly
and then through that, the attacker obtains the credentials of the user. This is unlike password
reset MitM where the user needs to carry out an action in the page that is attacking and give
out at least one detail that is correct about them.
Another attack is the phishing. In this kind of attack, the page that is attacking
impersonates a website that is legitimate and then entices or uses tricks to entice the user that
is the victim to key in credentials such as the password and the username. This kind of attack
differs slightly with the Password Reset MitM attack since the user is just needed to provide
information that is personal such as the mobile number which the victims concur with in
giving out for them to receive the services offered. However, attacks of phishing that are
sophisticated may also to an extent align with the MitM level of application approach of
Attacks
Websites are exposed to the dangers of attacks from the attackers who invade the
privacy of the users who are not suspicious about it. As explained in the paper on “The
Password Reset MitM Attack”, as the name suggests, the password reset MitM attack is one
of the attacks exploited by the attackers over the websites. The attack is quite easy to
implement, however, that’s not an indication that, the attack itself is not hazardous. In this
attack, the user is enticed in signing up for an account in order to get or subscribe to a certain
service that is being controlled by the attacker (such as, the attacker can display a download
that is free which can be used to entice the user), whereby, as the user keys in values for
signing up, the attacker manipulates the flow of the registration in a manner which enables the
attacker to reset the password for the account of the user in other accounts of the user. A
target that can be easily exploited by the attacker is the email account of the user. Through the
details obtained, the attacker is able to take control of the accounts of the user in other
websites.
Other attacks that the account of the user is vulnerable to are the cross-site attacks
which include the cross-site scripting, cross-site script inclusion, clickjacking and cross-site
request forgery. These kinds of attacks are only possible as a result the vulnerability of the
website. Clickjacking for example, the page that has been click jacked tricks the victim into
carrying out unintended actions through clicking a link that has been concealed. The attacker
then loads a similar page over the actual page in a layer that is transparent on the page that has
been click jacked. The user then carries out actions on the page that is invisible unknowingly
and then through that, the attacker obtains the credentials of the user. This is unlike password
reset MitM where the user needs to carry out an action in the page that is attacking and give
out at least one detail that is correct about them.
Another attack is the phishing. In this kind of attack, the page that is attacking
impersonates a website that is legitimate and then entices or uses tricks to entice the user that
is the victim to key in credentials such as the password and the username. This kind of attack
differs slightly with the Password Reset MitM attack since the user is just needed to provide
information that is personal such as the mobile number which the victims concur with in
giving out for them to receive the services offered. However, attacks of phishing that are
sophisticated may also to an extent align with the MitM level of application approach of
copying websites that are legitimate or during the whole process of login. Phishing attack
applying the approach of MitM may overcome as well the scheme of authentication of two
factors, since the user keys in passwords and codes into the website of phishing. As a result,
one may not be able to differentiate between the attacks of password reset MitM and phishing
which is the weakness itself. The difference between phishing and password reset MitM
attack is that, for the case of password reset MitM attack, the bugs found in the design of the
process of resetting the password are exploited while, when it comes to phishing, the users are
exploited. The design of the website attacked by the attacker does not contain any bug hence,
in this case, the attacker attacks the users that are unsuspecting who are just ignorant of the
instructions provided by the browsers to them.
Threat Model for the Attacks
For the password reset MitM attack to be implemented, the attacker
just requires the control of the website. Capabilities of eavesdropping or
MitM are not needed in this kind of attack. The visitors of the website of
the attacker are attacked by the attacker and then exploits their accounts
in the rest of the websites where they hold an account. The same also
applies to the attacks of the cross-site such as the clickjacking, cross-site
scripting and the cross-site request forgery. For the attacker to begin the
process of resetting the password in the name of the user, he or she
requires the typical set of information such as the email, username or the
number of the phone. The attacker can obtain the information from the
user as the process of registration is going on to the website attacking or
afore processes such as the download of file, when the user is needed to
give his or her identity through the use of their phone. In other websites,
the attacker may exploit attacks of cross-site for example, cross-site script
inclusion, cross-site scripting or other advanced methods in collection of
details regarding the user. The fact that attackers implement the
techniques discussed above means that there are various restrictions such
as for the attack to happen, the victim ought to be logged into the website
attacking. After the victim visits the website of the attacker, the page
attacking needs to entice the user into inputting or registering their
number of phone so that the user can receive the code. In order to achieve
applying the approach of MitM may overcome as well the scheme of authentication of two
factors, since the user keys in passwords and codes into the website of phishing. As a result,
one may not be able to differentiate between the attacks of password reset MitM and phishing
which is the weakness itself. The difference between phishing and password reset MitM
attack is that, for the case of password reset MitM attack, the bugs found in the design of the
process of resetting the password are exploited while, when it comes to phishing, the users are
exploited. The design of the website attacked by the attacker does not contain any bug hence,
in this case, the attacker attacks the users that are unsuspecting who are just ignorant of the
instructions provided by the browsers to them.
Threat Model for the Attacks
For the password reset MitM attack to be implemented, the attacker
just requires the control of the website. Capabilities of eavesdropping or
MitM are not needed in this kind of attack. The visitors of the website of
the attacker are attacked by the attacker and then exploits their accounts
in the rest of the websites where they hold an account. The same also
applies to the attacks of the cross-site such as the clickjacking, cross-site
scripting and the cross-site request forgery. For the attacker to begin the
process of resetting the password in the name of the user, he or she
requires the typical set of information such as the email, username or the
number of the phone. The attacker can obtain the information from the
user as the process of registration is going on to the website attacking or
afore processes such as the download of file, when the user is needed to
give his or her identity through the use of their phone. In other websites,
the attacker may exploit attacks of cross-site for example, cross-site script
inclusion, cross-site scripting or other advanced methods in collection of
details regarding the user. The fact that attackers implement the
techniques discussed above means that there are various restrictions such
as for the attack to happen, the victim ought to be logged into the website
attacking. After the victim visits the website of the attacker, the page
attacking needs to entice the user into inputting or registering their
number of phone so that the user can receive the code. In order to achieve
that, the attacker may use common techniques or even those that are
known. A good example may be an attacker creating a website offering
services that are free such as download of files or streaming. The website
may then need authentication that is just basic afore one can access any
service or for restricting them just for users that are registered.
Users are also tricked into providing personal details into the websites that they don’t
know about. They agree into registering or having a code that is one-time that is sent to their
phones for them to enjoy the online services provided to them. In reality, the website that is
attacking only claim to offer services that are valuable to the users while in the real sense, it
would be a good idea for the website that is attacking to provide those services for it to gain
victims that are potential.
The attacks are likely to be done because a good number of the users are ignorant in
that, they easily provide their credentials to unknown websites when asked which exposes
them to the risk of being attacked. Sometimes, codes sent to the phone are used as a way of
verifying the user. The phones are vulnerable hence making it easy for the attacker to attack
the victim.
Another reason is that, the security questions provided are also a problem. The users
tend to provide honest and common answers to those security questions which can be easily
guessed by the attacker who then utilizes that to gain access to the accounts of the users and
then exploit that knowledge in their other accounts.
Another problem is that, the attackers when they are used attacks such clickjacking,
the website attacking is transparent and over the website the user is performing their action.
Therefore, the user may not even notice that they are performing operations they did not
intend to and hence provide their personal data to the attacker.
Finally, another reason as to why the attacks are successful is that, the attackers use
some exciting and enticing offers which tempt the victim to try out without knowing what it
would lead to. For example, the user is offered free downloads, streaming among other offers
which sometimes they are not able to resist. Through that, the attacker is able to successfully
carry out the attacks.
Proposed solutions
known. A good example may be an attacker creating a website offering
services that are free such as download of files or streaming. The website
may then need authentication that is just basic afore one can access any
service or for restricting them just for users that are registered.
Users are also tricked into providing personal details into the websites that they don’t
know about. They agree into registering or having a code that is one-time that is sent to their
phones for them to enjoy the online services provided to them. In reality, the website that is
attacking only claim to offer services that are valuable to the users while in the real sense, it
would be a good idea for the website that is attacking to provide those services for it to gain
victims that are potential.
The attacks are likely to be done because a good number of the users are ignorant in
that, they easily provide their credentials to unknown websites when asked which exposes
them to the risk of being attacked. Sometimes, codes sent to the phone are used as a way of
verifying the user. The phones are vulnerable hence making it easy for the attacker to attack
the victim.
Another reason is that, the security questions provided are also a problem. The users
tend to provide honest and common answers to those security questions which can be easily
guessed by the attacker who then utilizes that to gain access to the accounts of the users and
then exploit that knowledge in their other accounts.
Another problem is that, the attackers when they are used attacks such clickjacking,
the website attacking is transparent and over the website the user is performing their action.
Therefore, the user may not even notice that they are performing operations they did not
intend to and hence provide their personal data to the attacker.
Finally, another reason as to why the attacks are successful is that, the attackers use
some exciting and enticing offers which tempt the victim to try out without knowing what it
would lead to. For example, the user is offered free downloads, streaming among other offers
which sometimes they are not able to resist. Through that, the attacker is able to successfully
carry out the attacks.
Proposed solutions
There are a number of solutions that can be applied or implemented to deal with the
attacks. They include use of security questions that are good. Use of questions of security
which are not related to the website may not be the best idea as they are vulnerable to the
attacks of password reset MitM. Use of a numerous number of questions that are related
directly to the actions carried out by the user of the site is a good method since the same
questions cannot be used by a user as questions of security that are legitimate for the rest of
the websites. Some good example that has implemented this technique is Google. Google
uses a combination of questions of security together with the other aspects such as the
browser originating and the address of IP. Google additionally also requests questions
regarding contacts that are common, labels that are user defined and use of services of Google
that multiple besides using the general questions of security.
Use of good questions of security is advantageous in that, use of related questions
makes it hard for the attacker to use the same questions to unravel the accounts in other sites
while it can also have its limits as they can be easily bypassed by the attackers especially
those who have a relationship with the victim.
Another solution could be the use of the method that is secure in resetting the
password by use of the SMS. In this case, the code of resetting the password ought to be sent
in a text that is clear through the SMS. The message should be detailed and containing a long
link. The advantage of this method is that, for the attacker to exploit, he or she is needed to
implore the user in copying the link which would make the user suspect it and hence making
it hard for the attacker. Its disadvantage is that; it is possible that the user may not go through
the link first to find out what it entails.
Another method involves securing the process of resetting the password through the
use of a phone call. For the method to be successful, the message received by the user should
contain the sender and the code meaning while the call ought to push the user listening and
understanding its content. Its advantage is that, the chances of the attacker of tricking the user
as minimized as they have to identify themselves to the user. Its disadvantage is that; the users
may fail to strictly follow the instructions provided for them to obtain the code hence making
the technique ineffective.
Use of notifications is another healthy method of preventing attacks. In this method,
the site has to notify the user in case a request is made regarding the password resetting as
well as when the password is changed through an email notification and the SMS. This
attacks. They include use of security questions that are good. Use of questions of security
which are not related to the website may not be the best idea as they are vulnerable to the
attacks of password reset MitM. Use of a numerous number of questions that are related
directly to the actions carried out by the user of the site is a good method since the same
questions cannot be used by a user as questions of security that are legitimate for the rest of
the websites. Some good example that has implemented this technique is Google. Google
uses a combination of questions of security together with the other aspects such as the
browser originating and the address of IP. Google additionally also requests questions
regarding contacts that are common, labels that are user defined and use of services of Google
that multiple besides using the general questions of security.
Use of good questions of security is advantageous in that, use of related questions
makes it hard for the attacker to use the same questions to unravel the accounts in other sites
while it can also have its limits as they can be easily bypassed by the attackers especially
those who have a relationship with the victim.
Another solution could be the use of the method that is secure in resetting the
password by use of the SMS. In this case, the code of resetting the password ought to be sent
in a text that is clear through the SMS. The message should be detailed and containing a long
link. The advantage of this method is that, for the attacker to exploit, he or she is needed to
implore the user in copying the link which would make the user suspect it and hence making
it hard for the attacker. Its disadvantage is that; it is possible that the user may not go through
the link first to find out what it entails.
Another method involves securing the process of resetting the password through the
use of a phone call. For the method to be successful, the message received by the user should
contain the sender and the code meaning while the call ought to push the user listening and
understanding its content. Its advantage is that, the chances of the attacker of tricking the user
as minimized as they have to identify themselves to the user. Its disadvantage is that; the users
may fail to strictly follow the instructions provided for them to obtain the code hence making
the technique ineffective.
Use of notifications is another healthy method of preventing attacks. In this method,
the site has to notify the user in case a request is made regarding the password resetting as
well as when the password is changed through an email notification and the SMS. This
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents