Re: ADP: A Tale of Two Password Reset Portals

[Shawn Merdinger <shawnmer () GMAIL COM>]

ADP response:

<snip>

"Currently the https://ipay.adp.com/iPay/login.jsf is employing a
simplified password reset flow based on the feedback from clients. The
methodology was designed to help offset some of the overhead clients
were experiencing from the flow currently in use via Portal. By
sending the security code to an email or mobile phone the flow met an
acceptable level of security and helped reduce the need for
administrator intervention due to issues such as forgotten challenge
question answers.

After discussing the current behavior with our Product and Security
divisions the decision has been made to revisit this simplified
password reset flow. We are working on a solution that will continue
to provide an improved user experience without introducing the
potential for increased risk. At this time we do not have a timeline
for making these changes but this has been given a top priority."

</snip>

Cheers,
--scm


On 5/10/16, Shawn Merdinger <shawnmer () gmail com> wrote:
> Hi List Folks,
>
> Maybe some are aware of this, but it was new info to me.  Fwiw,
> targeted attacks to obtain ADP access and payroll/W-2 info are
> actively using the Pathway Two method when an attacker gains control
> over a target's email account.
>
> I expect most folks resetting a forgotten ADP password go Pathway One.
> Give Pathway Two a try to really get a feel for the issues.  The user
> condition is that one has "activated" their email address with ADP.
>
> So, what's the issue?
>
> If you have "activated" your email account with ADP, an attacker who
> obtains control of your email can reset the ADP password, _without
> answering the custom security questions_, via Pathway Two.
>
> Also via Pathway Two, an attacker can obtain a ADP login username --
> just by knowing the first and last name and "activated" email address
> of the target....extraneous information disclosure for sure, and a
> juicy harvesting opportunity for some really targeted attacks,
> including social engineering as the attacker can control timing of the
> "Attempt to retrieve your User ID” email sent to the user (as in "Hi,
> I'm from ADP security and am going to walk you through the password
> reset as a safety measure...did you get the user look-up email just
> now?  Great...let's continue to the next steps...").
>
>
> [ Pathway One ]
>
> Goal:  Recover forgotten password
> Attacker condition:  Obtained user email credentials and email access
> User condition:  Activated email address with ADP after setting-up account
>
> Steps:
>
> Browser to https://portal.adp.com/
> Click “Forgot Your Password?”
> Browser redirects to
> https://netsecure.adp.com/ilink/pub/forgotpassword/index.jsp
> Steps 1-5 dialog
>         1. User ID
>         2. Reset Method Choice (Choose send temp password to email)
>         3. Security Question #1   ← ATTACKER MUST KNOW THIS ANSWER
>         4. Security Question #2   ← ATTACKER MUST KNOW THIS ANSWER
>         5. Confirm send password and Confirmation screen
> Login with temp password sent to email
> Change password using temp password for field 1, new password for fields 2,
> 3
> Email sent subject “ADP Generated Message: Password Change”
>
>
> [ Pathway Two ]
>
> Goal:  Recover forgotten password
> Attacker condition:  Obtained user email credentials and email access
> User condition:  Activated email address with ADP after setting-up account
>
> Steps:
>
> Browser to https://ipay.adp.com/iPay/login.jsf
> Click “Forgot Your User ID/Password?”
> Redirects to https://netsecure.adp.com/ilink/pub/smsess/forgot/theme.jsp
> Dialog box
>      Enter first name
>      Enter last name
>      Enter email
> Result discloses ADP login username just by knowing target name and
> email...wow
> Email sent subject “ADP Generated Message:  Attempt to retrieve your User
> ID”
> Click “I don’t know my password” option
> Choose send to email on “Your security code” option
> Email sent subject “ADP Generated Message: Security Code”
> Enter security code in dialog box within 15 minutes
> Reset password
> Email sent subject “ADP Generated Message: Password Change”