There has always been something deeply unsettling to me about the ‘Forgot Password’ functionality on many web sites.
The ‘Forgot Password’ page exists solely to help unauthenticated users bypass the usual means of authentication.
For whatever reason, many developers overlook the importance of locking this down, even after the issue of too-easily-guessable questions in Yahoo’s ‘Forgot Password’ procedure got a lot of media attention during the US presidential campaign after Gov. Palin’s webmail was hacked.
Even if the questions were based on specific preferences and more difficult to guess, very few sites will check for brute-force attempts on the ‘Forgot Password’ page, even though protections against brute-forcing have often been implemented in the more prestigious login page.
One other recommendation I usually make is the banning of email addresses from Mailinator, Slopsbox, and similar anonymous email services in registration.
If you’re not familiar with Mailinator, it’s an email server which displays ALL received emails to anyone who visits their web site. Say you were registering for some web site and they asked for an address to send the validation email to. You can just enter any email address at Mailinator, for example asdf@mailinator.com, and then go to www.mailinator.com and read the response. This is great for not having to give out your real email.
What this means, however, is that I can simply go to the ‘Forgot Password’ page, which usually requires only an email address, enter asdf@mailinator.com, and a password reset email will be sent to Mailinator where I can collect it anonymously. Any user account on any web service which was registered to a Mailinator email address can be compromised simply by guessing the email address.
Here’s where the brute-forcing comes in. Since most sites let you make as many guesses on the ‘Forgot Password’ page as you’d like, there is nothing stopping an attacker from simply guessing email addresses at full tilt.
To demonstrate the effectiveness of this technique, I’ve written two example scripts, called the Mailinator-nator, which are available here.
The first script is called forgot-pwd-force.py, this script does the following:
1) Brute forces “Forgot Password” forms that only require email addresses on a hardcoded list of sites, using a wordlist of usernames.
2) For each username, tries each of the Mailinator domain aliases (Mailinator has a number of different domain names that point to the same place).
The second script is called mailinator-scan.py, this script does the following:
1) Reads a wordlist of usernames from a file.
2) For each username, connects to Mailinator and logs all emails to that user which contain the word “password”.
To use these two together, first add your target sites to forgot-pwd-force.py. You can use one of my included wordlists or make your own, just be sure to use the same wordlist for both scripts.
Next, run the first script to force the target site to generate password reset emails to Mailinator addresses.
Wait a few minutes, and then run the second script to collect all of the return emails from the Mailinator server.
The second script can also be run as a cron job, which lets you troll Mailinator for password reset emails that you did not trigger yourself! Mailinator deletes all received emails within an hour or two, so you may have to tinker with it to find a good interval.
I love Mailinator, so I checked and this doesn’t seem to violate their terms of service. Looking at their site, they don’t seem to have terms of service! This makes some kind of sense, since all users to the site are anonymous. That said, actually logging in to a web site with a password recovered in this way is probably illegal in most jurisdictions so don’t do it.
As a site developer, what can you do to prevent these kinds of problems?
1) Ban registration emails to Mailinator and all of its domain aliases.
2) After 10 or so failed attempts to guess an answer on the ‘Forgot Password’ page, ban the IP for 5-15 minutes.
3) Require more than just the email address to send a password reset email. Consider at least two factors: email address AND one security question.
These three measures will protect your ‘Forgot Password’ page from brute-forcing and dictionary attacks, as well as protecting your users from having their accounts stolen.
As a user of Mailinator, you can reduce your exposure to this risk by making use of the ‘Delete This Email’ feature of Mailinator and by using a long, difficult to guess user name.
Thanks alot for this script. It works a charm and easy to mod. On another note you’ve opened my eyes to the beauty of PY.
I found this post after running a search for “mailinator ban forums.” I’m glad I did too. I’ve been getting lots of spam on my forums from people using mailinator accounts. I’ve banned all use of mailinator so this problem should be fixed.
Another issue I’m seeing is spam posts with clear gif images. When you look at the post you don’t see an image at all, but when you examine the code you see a URL ending with /clear.gif.
I assume what they’re planning is to swap out the image with an ad of some sort in the future. Anyways, thanks for helping me with one area of spam control.
Chris O’Connor — the clear GIF is not supposed to be swapped out for something. It’s supposed to be there and invisible. When your mail client, web browser, or whatever fetches clear.gif it leaves your IP address in the server’s logs. And since the URL to the clear.gif was probably constructed so as to uniquely identify your email address, the act of fetching clear.gif will verify your email address as valid, and tell the spammer roughly where you live and perhaps your operating system and web browser or mail client of choice. Some pre-configured consumer systems will also leak information such as serial numbers and whether software is up-to-date with patches or not (and thereby what vulnerabilities may be used to exploit that system).
Hey!
Did you forget the best feature of mailinator?
http://www.mailinator.com/faq.jsp
What are “Alternate Inbox Names” ?
Thus, you can email joe@mailinator.com OR M8R-yrtvm01@mailinator.com – either way, the email will arrive in the “joe” inbox (and nothing into the M8R-yrtvm01 inbox).
Can you brute force that?