This seems to contain an ordinary link to reset their password and, crucially, contains a valid password reset token that is associated with their account. The victim receives a genuine password reset email directly from the website. When submitting the form, they intercept the resulting HTTP request and modify the Host header so that it points to a domain that they control. The attacker obtains the victim's email address or username, as required, and submits a password reset request on their behalf. If the URL that is sent to the user is dynamically generated based on controllable input, such as the Host header, it may be possible to construct a password reset poisoning attack as follows: How to construct a password reset poisoning attack Password reset poisoning is a method of stealing this token in order to change another user's password. However, its security relies on the principle that only the intended user has access to their email inbox and, therefore, to their unique token. This process is simple enough and relatively secure in comparison to some other approaches. If everything is as expected, the user is given the option to enter a new password. When the user visits this URL, the website checks whether the provided token is valid and uses it to determine which account is being reset. The user's unique reset token is included as a query parameter in the corresponding URL: The website sends an email to the user that contains a link for resetting their password. The website checks that this user exists and then generates a temporary, unique, high-entropy token, which it associates with the user's account on the back-end. The user enters their username or email address and submits a password reset request. One of the most common approaches goes something like this: There are several ways of doing this, with varying degrees of security and practicality. Virtually all websites that require a login also implement functionality that allows users to reset their password if they forget it. This technique was first documented in 2013 by our Director of Research, James Kettle.Ĭheck out our Research page for full write-ups and video presentations of more innovative techniques discovered by James and the rest of the team.
0 Comments
Leave a Reply. |