ADP: A Tale of Two Password Reset Portals

[Shawn Merdinger <shawnmer () GMAIL COM>]

Hi List Folks,

Maybe some are aware of this, but it was new info to me.  Fwiw,
targeted attacks to obtain ADP access and payroll/W-2 info are
actively using the Pathway Two method when an attacker gains control
over a target's email account.

I expect most folks resetting a forgotten ADP password go Pathway One.
Give Pathway Two a try to really get a feel for the issues.  The user
condition is that one has "activated" their email address with ADP.

So, what's the issue?

If you have "activated" your email account with ADP, an attacker who
obtains control of your email can reset the ADP password, _without
answering the custom security questions_, via Pathway Two.

Also via Pathway Two, an attacker can obtain a ADP login username --
just by knowing the first and last name and "activated" email address
of the target....extraneous information disclosure for sure, and a
juicy harvesting opportunity for some really targeted attacks,
including social engineering as the attacker can control timing of the
"Attempt to retrieve your User ID” email sent to the user (as in "Hi,
I'm from ADP security and am going to walk you through the password
reset as a safety measure...did you get the user look-up email just
now?  Great...let's continue to the next steps...").


[ Pathway One ]

Goal:  Recover forgotten password
Attacker condition:  Obtained user email credentials and email access
User condition:  Activated email address with ADP after setting-up account

Steps:

Browser to https://portal.adp.com/
Click “Forgot Your Password?”
Browser redirects to
https://netsecure.adp.com/ilink/pub/forgotpassword/index.jsp
Steps 1-5 dialog
        1. User ID
        2. Reset Method Choice (Choose send temp password to email)
        3. Security Question #1   ← ATTACKER MUST KNOW THIS ANSWER
        4. Security Question #2   ← ATTACKER MUST KNOW THIS ANSWER
        5. Confirm send password and Confirmation screen
Login with temp password sent to email
Change password using temp password for field 1, new password for fields 2, 3
Email sent subject “ADP Generated Message: Password Change”


[ Pathway Two ]

Goal:  Recover forgotten password
Attacker condition:  Obtained user email credentials and email access
User condition:  Activated email address with ADP after setting-up account

Steps:

Browser to https://ipay.adp.com/iPay/login.jsf
Click “Forgot Your User ID/Password?”
Redirects to https://netsecure.adp.com/ilink/pub/smsess/forgot/theme.jsp
Dialog box
     Enter first name
     Enter last name
     Enter email
Result discloses ADP login username just by knowing target name and email...wow
Email sent subject “ADP Generated Message:  Attempt to retrieve your User ID”
Click “I don’t know my password” option
Choose send to email on “Your security code” option
Email sent subject “ADP Generated Message: Security Code”
Enter security code in dialog box within 15 minutes
Reset password
Email sent subject “ADP Generated Message: Password Change”