The "Forgot password?" feature and how DNS vulnerabilities may allow the takeover of user accounts

guest · Jul 24, 2021

Dozens of web apps vulnerable to DNS cache poisoning via ‘forgot password’ feature
Of 146 tested, two applications were vulnerable to Kaminsky attacks, and 62 to IP fragmentation attacks
July 23, 2021
https://portswigger.net/daily-swig/...s-cache-poisoning-via-forgot-password-feature

Vulnerabilities in the way websites resolve email domains have left many sites open to DNS attacks that can lead to account hijacking, new research shows.

In a study of 146 web applications, Timo Longin, security researcher at SEC Consult, found misconfigurations that malicious actors could exploit to redirect password reset emails to their own servers.
Click to expand...

DNS cache poisoning
Most websites have a ‘forgotten password’ feature that sends a message to the user’s email with a link or one-time passcode enabling them to reset their password or regain access to their account. The goal of the study was to find out whether an attacker could force the application to send these emails to an arbitrary server.

For this to happen, the attacker must carry out DNS cache poisoning, where the domain name of the target user (e.g., gmail.com or example.com) is resolved to the IP address of a server the attacker controls.
Click to expand...

Malicious DNS responses
Longin analyzed the DNS resolution process of 146 web applications. He set up his own domain and authoritative DNS server (ADNS) and developed his own DNS proxy to resolve domain names, along with a tool for logging DNS responses.

After 20 hours of registering users and hundreds of hours of analyzing the logs, he found two applications to be vulnerable to Kaminsky attacks and 62 vulnerable to IP fragmentation attacks.

“DNS attacks via IP fragmentation are probably not as known as, for example, the Kaminsky attack. I had to take a deep look into this topic to actually find out that IP fragmentation attacks are a thing,” Longin said, adding that IP fragmentation attacks are very complex and not that easy to exploit.
Click to expand...

Forgot password? Taking over user accounts Kaminsky style

TL;DR
After analyzing 146 web applications for vulnerabilities in their DNS name resolution, Timo Longin (SEC Consult Vienna) discovered that some web applications are still vulnerable today. Kaminsky as well as IP fragmentation attacks may allow to take over user accounts of these web applications via the "Forgot password?" feature. To identify vulnerable web applications, the DNS Reset Checker is provided.

Does this attack vector affect me?

How can I protect myself?

Should I be on the lookout for this attack vector?

The Q&A section covers these and many more questions.
Click to expand...

Log in or Sign up

The "Forgot password?" feature and how DNS vulnerabilities may allow the takeover of user accounts

guest Guest

Log in or Sign up

The "Forgot password?" feature and how DNS vulnerabilities may allow the takeover of user accounts

guest Guest

Useful Searches