Skip to main content

Emailed password reset: A weak security link

Taking over someone's digital identity is not that difficult if you have access to that person's email account. A researcher conducted a "small experiment" to illustrate just how easy it is to seize control.

Before signing up for an online service, users have to provide a way to verify their identity, Lucas Lundgren of IOActive Labs wrote on the group's research blog. It doesn't matter if you are registering on a forum in order to see the answer to one particular question, and you will probably never visit the forum site again. You need a way for the service provider to contact you when you become a member, whether it's Gmail, Facebook, Twitter, online banking, or shopping. Odds are that you used your email address to verify your identity.

"There's a saying that all roads lead to Rome? Well, the big knot in this threat is – you guessed it – your email address," Lundgren wrote.

Lundgren's research project was simple. He tried breaking into various online accounts, either by searching on Google or using social engineering techniques, on six of his family and friends. There would be no need to brute force passwords, because he targeted the true "weakest link," the password reset mechanism. He succeeded with five of them. The only one he couldn't compromise had forgotten what she'd selected as the security question.

"That saved her," he noted.

Technique: Resetting passwords

In one instance, Lundgren was trying to get into a friend's Gmail account and found out the password reset link was being sent to a Hotmail account. He didn't know the address so he looked it up on Facebook. That was just a matter of setting up a fake profile using a photo of someone else his target already had as a Friend on Facebook. Once the fake profile was up, "almost identical to the girl," he sent a Friend request. Once the request was accepted, Lundgren was able to see the email address listed on the profile.

The secret question for Hotmail asked for the mother's maiden name, which had been posted at one point on Facebook. Once in Hotmail, he found the password reset email from Gmail. That easily, he'd gained access to his friend's two email accounts. Using the same methods gave him access to Facebook, and all the sites set up to login using Facebook, such as Flickr. That Gmail account also appeared to be tied to an iTunes account and an online electronics store.

Even if the user had selected a long and complex password that used numbers, mixed case, symbols, and no dictionary words, odds are, when prompted with the password recovery question, they provided a simple answer.

Protect yourself

The way Lundgren was able to trace multiple accounts and services from a single account should sound familiar. Wired writer Mat Honan recently lost control over his iPhone, iCloud, and MacBook Air when someone used social engineering techniques on Apple and Amazon customer service to reset the passwords on his account.

Lundgren recommends creating an email account which has no login. He uses a particular email on his domain to register on forums and other sites. However, that address is set up on the domain as just a forwarding address to a real address, and not as a fully-fledged mailbox. Because there's no way to login, the attacker can't reset the password to that account to gain access to other services. Any password reset requests for various services are sent to the actual address by means of the email forwarder, but there's no way for the attacker to know what the final destination actually is. An attacker would also be unable to reset the password for that email forwarding address.

On a more basic level, think very carefully about what information you’re displaying on Facebook, and try not to reveal any juicy personal details such as your mother’s maiden name or similar. In terms of security, when it comes to social networks, the less personal data you display, the better. Also, you could simply treat any security question as a second password (just don’t forget that password).

"It's getting easier and easier to use just one source for authentication and that means if any link is weak, you jeopardise all your other accounts as well," Lundgren concluded, adding that if there are any work-related accounts or information in the mix, the employer is at risk, too.