RE: Example of the worst passwd recovery interface

[Irene Abezgauz <irene.abezgauz () gmail com>]

The things I've seen...

The Interfaces that ask you information you can SEARCH in the site
(because it has a search for users), the ones that have a witty clever
question (your birth state) - coupled naturally with no lock-out
mechanism.
The ones that display the password to you in cleartext once you have
answered a simple question.


On the other hand, your truly has once found herself locked out of her
internet bank account after failing 3 logins, failing the password-reset
interface(forgot to update my address and was using my new zip code as
part of the info). And NOTHING I did helped me bring my pass back. Had
to actually physically go there.

Irene 
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com
 

-----Original Message-----
From: Marc Heuse [mailto:Marc.Heuse () nruns com] 
Sent: Thursday, August 04, 2005 10:29 AM
To: 'Saqib Ali'
Cc: webappsec () securityfocus com
Subject: RE: Example of the worst passwd recovery interface

if this is the worst you have seen, you havent seen much :-) 

I once saw once one where you could specify the email address to
send the password to ... amazing.
Or the "security questions" with the best one: "what is your favorite
colour" :-)

but to bring at least a little value to this response:

there is another problem in the "send me my password" page you found:
it also shows you if a userid exists or not, hence it makes
brute forcing accounts + passwords easier.

cheers,
marc

====================================================================
Marc Heuse
n.runs GmbH
Mobile Phone: +49-160-98925941
Key fingerprint = AE3F CDC0 8C7B 8797 BEAC  4BF8 EC8F E64B 0A84 EA10
====================================================================
 
-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Mittwoch, 3. August 2005 22:59
To: webappsec () securityfocus com
Subject: Example of the worst passwd recovery interface

I think Citrix has implemented the most insecure password recovery
webpage of all time.

Here is the link to their password recovery page:
https://secureportal.citrix.com/MyCitrix/Register/RemindPassword.aspx

All the user has to do is type in an citrix userid, and the systems
sends an password reminder to the email address on the account.
Nothing terribly insecure with this.

"However the web page also displays the email address to which the
reminder was sent."

Try my Citrix id: saqib1

So esentially if you have the citrix id of a user, you can get their
email address. Getting the Citrix ID is pretty easy process. All the
IDs are listed in Citrix Online Discussion Forum:
< http://support.citrix.com/forums/index.jspa >

Also you can potentially create a email flood for any registered users
on the citrix website. the process can be eaily automated.

If I remember correctly, Citrix stated in their Privacy Policy, that
the email address of the registered will not be displayed on their web
pages. So I guess they are voilating their own policy as well.

I think Citrix's password recovery webpage is a good example of how
NOT to design password recovery webpages.

-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 8/3/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.0/63 - Release Date: 8/3/2005