about inactive account hijacking



INACTIVE ACCOUNT HIJACKING

author: l0om
page: l0om.org
date: 02.05.2009

OVERVIEW:

I would like to draw your attention on a problem that is already known and is surely exploited for a long time, but clearly seems to be underestimated.

the problem is explained quickly:
- email service provider delete inactive accounts after six or twelve months of inactivity and release the adresse (nearly every big email provider does it)
- many platforms (webshops, forums, etc...) do NOT delete inactive accounts

This asymmetry in handling inactive accounts has the consequence that thousands of accounts of various online platforms can be hijacked by attackers without any technical difficulties.

The procedure is so simple that it hardly needs to be mentioned:
- An attacker takes an old email address and try to register this email account at the email service provider.
- If it can be registered, it is assumed that the account has been released (or has never existed).
- Then the attacker tries at a variety of online platforms to create accounts for the just mentioned email address.

+ If the registration would be successful, there is no account for this email address at this online platform registered
+ If the registration fails, because it already have an account there, there has been found a registered account for this email address and now its getting ugly.

an attacker can hijack the account of the online platform if he simply register the email account and now uses the forgotten-the-password-function. the attacker gets a link which can be used to set a new password. Now he has the user data and the functions of the original owner in his control.

jeopardized are all possible online systems with such a forgotten-password-functional in use.

furthermore on holidays an attacker gets newsletter emails which lead the attacker to another accounts.

one interesting fact is that especailly very big platforms (webshops and forums which are kinda oldschool for the net) are vulnerable.

DEFENSE:

it is necessary to process as quick as possible the forgotten-the-password-function on large platforms. instead of just ask for the emailaddress to identify yourself you should be asked for eg. the last numbers of your banking account. this information shouldnt be found somewhere in the internet. this will make the efficient execution of the attack impossible.
furthermore newsletter scripts should check for delivery-faild messages caused by non existing accounts. such accounts can be locked and should be locked (maybe deleted).

GREETINGS:

John K., I², Molke, McFly, Takt, Proxy, johnny long, murfie, Maximilian, Theldens, Commander Jansen, detach, ole
and last but not least Jquade

FLAMES:

salem, the knilch



Relevant Pages

  • Re: Expired v Disabled User Accounts and DSQUERY
    ... It was initially written to clean up computer accounts but is flexible enough to ... > want us to go through and disable all the expired user accounts. ... how can we find all inactive accounts which are not already ... > accounts for x wks and disabling them. ...
    (microsoft.public.win2000.active_directory)
  • Re: AD HOUSEKEEPING
    ... You can try DSQUERY to find all inactive accounts in particular ... want to get rid of all inactive user accounts and computer accounts. ... There is plenty advice on how to accomplish this in Server 2003 mode using ... dsquery etc but we are stuck with Windows 2000 DCs at the moment. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Expired v Disabled User Accounts and DSQUERY
    ... >We have a client who already expires user accounts every 3 months, ... >want us to go through and disable all the expired user accounts. ... how can we find all inactive accounts which are not already ... >accounts for x wks and disabling them. ...
    (microsoft.public.win2000.active_directory)
  • Re: Remove Computers from OU Dynamically
    ... You can however use the Active Directory command line tools to ... search for inactive accounts and delete them if you are sure you no longer ... > Windows 2003 Standard Server ...
    (microsoft.public.windows.server.active_directory)
  • Expired v Disabled User Accounts and DSQUERY
    ... We have a client who already expires user accounts every 3 months, ... want us to go through and disable all the expired user accounts. ... I can use DSQUERY to find inactive accounts and inactive accounts which are ... accounts for x wks and disabling them. ...
    (microsoft.public.win2000.active_directory)