I read about an interesting attack today. An Israeli study by Senia Kalma, Bar Magnezi, Hen Porcilan, and Nethanel Gelernter of the College of Management Academic Studies, Israel and a company that Mr. Gelernter works for called Cyberpion, suggests that a version of the Man in the Middle attack exists that traditional countermeasures fail to detect.
The attack, called Password Reset Man in the Middle Attack (PRitM), takes advantage of our curiosity and love of anything ‘free’; or, at least, my love of anything free. This attack, from my perspective, is especially applicable to the cybersecurity profession; wherein tech companies are consistently offering whitepapers or other valuable material in exchange for entering a little bit of data about ourselves. Our curiosity over the latest trend leads us to register for a site in exchange for access to the goodies. Granted, most of us know that the site is collecting the data for marketing and other less nefarious purposes, but do we really think it’s a lapse in security to exchange our email address for a white-paper? The answer is now a resounding “Yes”.
The PRitM attack is particularly beautiful in its simplicity; Malevich, Judd, and Pawson would be honored to have this attributed to them. Typically, a website, let’s say a security website by a new tech company, offers a white-paper that vows to teach us total security our information systems. We can also use, say, a recipe for an awesome desert that is only 10 calories. This is the bait, and our curiosity is the hook. We go to view the file, only to be confronted by a login or registration dialogue. After the initial eye-roll, we reflexively type in our email address.
As soon as the email address hits the website, however, the attack begins. By entering our email, we’ve given the attacker (who has control of the website) the information she needs to begin a password reset on our email account. Once initiated, one of three things will happen:
1) The server will generate a CAPTCHA request to make sure a human is interacting with the service;
2) The server will send an SMS code; or
3) The server will begin the process of a reset via recovery questions.
The beauty in the attack is that all this information is passed on to us as we are registering to download / view that file. For example, if our email provider needs a CAPTCHA answer to initiate a reset, the attacker merely forwards the CAPTCHA to us while we are filling out the information form. The same applies with security questions and SMS two-factor authentication. Using a two or three step sign-up process allows the script the attacker writes to efficiently pass the information between our email provider and ourselves, with minimal overhead.
Who’s affected? The researchers effectively ran their test cases against Google, Facebook, LinkedIn, PayPal, eBay, Baidu, Yahoo, Twitter, and a host of others; so, everybody. Websites that email links to reset passwords were not affected by the PRitM attack.
How do we protect ourselves against the PRitM attack? First, be sure we want to give out our email address, and if we do, use a throw-away address that is not linked to financial or other sensitive accounts. If an attack is in progress using SMS messages, be sure to closely read what the message says, as registering for a site won’t generate a message from our email provider.
To read more about this interesting attack, a PDF of the study is available below, no sign-up required 😀
Rob Medley 