You’ve Got (a Reset) Mail: A Security Analysis of Email-Based Password Reset Procedures

Innocenti, Tommaso; Mirheidari, Seyed Ali; Kharraz, Amin; Crispo, Bruno; Kirda, Engin

doi:10.1007/978-3-030-80825-9_1

Cited by 4 publications

(4 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, pre-hijacking attacks such as the Unexpired Email Change Attack show the importance of capability URLs. Further research is needed on the types of capability URLs in use, their typical validity periods, and the ways in which they might be abused (e.g., [21]).…”

Section: Discussionmentioning

confidence: 99%

“…Zeller et al [42] present an attack in which the attacker associates their own email address to the victim's account and takes control of the account by requesting a password reset link to be sent to the attacker's email address. Similarly, Innocenti et al [21] discusses attacks based on the password-reset URLs and Lee et al [23] presents the scenario where an attacker owns the recycled phone number of the victim to hijack the accounts of the victim through SMS-based password reset. Although the threat model considered in these works are different from ours, they inspired our Unexpired Email Change and Trojan Identifier Attacks.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

Sudhodanan¹,

Paverd²

2022

Preprint

View full text Add to dashboard Cite

The ubiquity of user accounts in websites and online services makes account hijacking a serious security concern. Although previous research has studied various techniques through which an attacker can gain access to a victim's account, relatively little attention has been directed towards the process of account creation. The current trend towards federated authentication (e.g., Single Sign-On) adds an additional layer of complexity because many services now support both the classic approach in which the user directly sets a password, and the federated approach in which the user authenticates via an identity provider.Inspired by previous work on preemptive account hijacking [17], we show that there exists a whole class of account pre-hijacking attacks. The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account. Assuming a realistic attacker who knows only the victim's email address, we identify and discuss five different types of account pre-hijacking attacks.To ascertain the prevalence of such vulnerabilities in the wild, we analyzed 75 popular services and found that at least 35 of these were vulnerable to one or more account prehijacking attacks. Whilst some of these may be noticed by attentive users, others were completely undetectable from the victim's perspective. Finally, we investigated the root cause of these vulnerabilities and present a set of security requirements to prevent such vulnerabilities arising in future.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

Sudhodanan¹,

Paverd²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Note that phone calls are susceptible to phishing attacks [3]. Thus, email can also be considered the more secure communication channel [41] unless dealing with financial institutions or when critical information is exchanged where a high level of security is necessary, e.g., in-person or physically mailing to the user address. In addition, we considered security verification checks that can be a second step to confirm the user's identity to restore an account.…”

Section: Account Deletion Recovery and Restorationmentioning

confidence: 99%

A Transcontinental Analysis of Account Remediation Protocols of Popular Websites

Markert¹,

Adhikari²,

Das³

2023

Proceedings 2023 Symposium on Usable Security

View full text Add to dashboard Cite

Websites are used regularly in our day-to-day lives, yet research has shown that it is challenging for many users to use them securely, e.g., most prominently due to weak passwords through which they access their accounts. At the same time, many services employ low-security measures, making their users even more prone to account compromises with little to no means of remediating compromised accounts. Additionally, remediating compromised accounts requires users to complete a series of steps, ideally all provided and explained by the service. However, for U.S.-based websites, prior research has shown that the advice provided by many services is often incomplete. To further understand the underlying issue and its implications, this paper reports on a study that analyzes the account remediation procedure covering the 50 most popular websites in 30 countries, 6 each in Africa, the Americas, Asia, Europe, and Oceania. We conducted the first transcontinental analysis on the account remediation protocols of popular websites. The analysis is based on 5 steps websites need to provide advice for: compromise discovery, account recovery, access limitation, service restoration, and prevention. We find that the lack of advice prior work identified for websites from the U.S. also holds across continents, with the presence ranging from 37% to 77% on average. Additionally, we identified considerable differences when comparing countries and continents, with countries in Africa and Oceania significantly more affected by the lack of advice. To address this, we suggest providing publicly available and easyto-follow remediation advice for users and guidance for website providers so they can provide all the necessary information.

show abstract

“…Prior work on account recovery mechanisms investigated different authentication schemes [64], [65] and password reset strategies [66]. Password recovery schemes may also be vulnerable to manin-the-middle (MitM) attacks [67], [68], [69]. Liu et al [70] focus on user information security after account deletion, but this falls outside the scope of remediation that we are addressing.…”

Section: Related Workmentioning

confidence: 99%

An Empirical Analysis of Incorrect Account Remediation in the Case of Broken Authentication

Lee,

Choi,

Yoon

et al. 2023

IEEE Access

View full text Add to dashboard Cite

One of the most critical vulnerabilities in authentication, commonly referred to as ''broken authentication,'' poses a harmful threat, leading to the compromise of user credentials and the unauthorized hijacking of sessions. Addressing these security breaches is imperative, necessitating effective remediation mechanisms. Our primary objective is to assess and enhance the security posture of remediation mechanisms by addressing the vulnerabilities associated with broken authentication. Our investigation reveals deficiencies in the implementation of the three prevailing remediation mechanisms across popular Service Providers (SPs), rendering manual remediation attempts futile. We demonstrate our claim by measuring post-compromise security preparedness across over 350 popular websites and applications. During the measurement, SPs were divided into three groups to compare the correctness of the remediation mechanisms across groups. Based on the measurement and evaluation results, we analyzed the root cause of such incorrectness and discussed possible mitigations and practical recommendations to solve the remedial problems. The scope of this study ranges from compromise to the immediate consequences of countermeasures. Hence, discussions of the causes of broken authentication and descriptions of attacks for breaking authentication are beyond the scope of this study. Detailed case studies of four popular SPs are included to discuss their unique reactive prevention behaviors. Observations and their meaningful results challenge us to render remediation mechanisms opaque and difficult to audit, which contributes to underestimating the security threats of ineffective revocations.

show abstract

You’ve Got (a Reset) Mail: A Security Analysis of Email-Based Password Reset Procedures

Cited by 4 publications

References 21 publications

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

A Transcontinental Analysis of Account Remediation Protocols of Popular Websites

An Empirical Analysis of Incorrect Account Remediation in the Case of Broken Authentication

Contact Info

Product

Resources

About