By John Leyden for The
Register.
This article has been reproduced with permission.
It warns that the log-in process of many transactional websites
can be subverted by a "brute force" or enumeration attack. In a
survey of 107 popular online retail websites in the UK, SecureTest
found that 54 of the sites (or 50.5 per cent) are potentially
vulnerable to this type of hack attack.
Differences in responses by applications when valid and invalid
user account names can give clues to hackers and form the basis of
enumeration attacks. If a valid user name (or registered email
address) is entered on a "forgotten password" page, a web
application might respond stating that a password will be sent to
the user by email. If an invalid user name is entered, the
application could respond with "invalid account name". Using this
information, a script can be written to try numerous account names,
exploiting these differences in response. While this is a
time-consuming process it does create a means to create a list of
valid user names.
Armed with this list, a hacker might apply a similar brute force
attack to target the application and crack account passwords. Once
sets of user names and passwords are established a hacker would be
able to log into an account, make purchases or extract confidential
data, such as a user's postal addresses and credit card
details.
"We test web applications daily and repeatedly find that
enumeration is possible. This problem is not limited to retail.
Most websites with a password reminder function are vulnerable to
enumeration attacks," SecureTest managing director Ken Munro said.
A self-confessed ecommerce user, Munro said he looked into the
issue after becoming concerned about the way sites he used handled
users with forgotten passwords. Hack attacks targeting the
forgotten passwords of ecommerce websites are something neither
Munro or ourselves can cite examples of. However, Munro maintains
that the risk is real and worth considering, especially because
defending against enumeration attacks on passwords is a simple
coding exercise.
Some etailers have implemented a "lock out" feature that
restricts access to accounts after a fixed number of failed
password attempts. SecureTest reckons this approach, while it might
appear to be a good idea, leaves open other forms of abuse such as
a risk that the attacker will bombard valid accounts with bad
passwords, thus locking out the retailers' customers. In effect
this creates a Denial of Service (DoS) attack with the application
blocking bona fide users through its own aggressive lock out
policy.
SecureTest advises retailers to consult their application
developer about alternative countermeasures. The security
consultancy has developed a list of recommendations that can be
taken to help prevent brute force attacks against ecommerce
sites:
- Instigate a 'time out' feature on the log-in form. This will
slow down a brute force attack to such an extent that it will
render it ineffective.
- Avoid applying a permanent lock-out on the log-in form: an
attacker could deliberately lock out valid users by trying bad
passwords on their accounts.
- Make sure the error message on the log-in form is generic;
don’t distinguish between a valid/invalid username and
valid/invalid password. "Incorrect credentials entered’ is a
suitable response.
- Consider implementing a second authentication factor on the
forgotten password feature, e.g. a memorable date.
- Ensure you are logging HTTP POST requests from the log-in form
and forgotten password feature as this may not be enabled by
default.
- Inspect logs to monitor attacks particular accounts and take
appropriate action if any such hacking attack is identified.
© The Register
2006
