In the previous blog post, I wrote about my observations, which could lead to an account takeover There was no check on changing the personal information like the email address.

Observations

Another day, another email address update. Another Login screen. I entered my user name and password. I found my way to my account settings and clicked on the Edit button to change the email address. I entered the right email address. One check away to verify the change.

At that moment I was requested to enter my password. It reminded me of two factor authentication. To change important things like email address or home address, extra information had to be entered.

A user could change my email address using my password. That is only me. The developer was probably minding my security, which is a nice thing to experience. Security first was in his or her mind. I liked that,

The web site was still waiting for my password. I retrieved the password from my password manager and pressed the Enter key. Then I logged out and logged in with my user name. The update of my email address was successful.

But there was something wrong with the security. I did not like that.

Discoveries

Naming the terms

A password manager is a program or app, which stores user names and passwords for several accounts.

In case of two factor authentication, there are two checks, whether the user is the person, who claims he or she is. For example, a user can be asked to give the membership number to use certain benefits. Then an extra check is done by asking additional information like a name.

Naming the conditions

As a tester I have to look at security. If I use my observations, how would I do an account takeover. In other words, how do I reverse engineer an account takeover.

Sketching a test idea

Here is a rough description to take over an account.

If a laptop is not locked, an account has been opened and the password manager is opened, then change the email address in the Account section using the password from the password manager.

 

If the mail with mail address change is sent to the inbox, remove it in the inbox. Then remove the mail in the Trash.

Later, to the login page, press on the link ‘Password forgotten’, and follow the instructions.

Change the password and then the user name.  The account has been taken over.

Highlighting

Asking for a password is not two factor authentication. A password is not an additional check. With the current number of accounts, a password manager is frequently used to memorise passwords.

Let me describe another situation. If a hacker has the user name and the password, then it is simple to provide the password in order to change the email address.

Recommendations for the developers

Make a log. This can be used to find any relevant changes to the account afterwards.

Add two factor authentication. Nowadays authentication apps are interesting solutions.

Check on the location or the device, which is used for logging in. This can lead to notifications to the user. Consider using the mailbox or notification feature of the app.

Offer the system administrator to make a list of disapproved email addresses. If a company uses an app, then email addresses with certain domain names are not allowed. For example, domain names of competitors and certain countries.

Offer the system administrator to make a list of approved email addresses. For example, for an app with a company subscription only email addresses with the company domain name can be used.

Check, whether the new email address has some connection with the user. An alert should go off, when mister Smith has an email address jones@company.com.

Verify the user requesting additional information, which cannot be easily found on the internet.

Note: in May 2025, a fraud with collecting music royalties was detected in the Netherlands. An account with wrong email address had been created.

Looking forward

In the next blog post I will describe another situation to take over an account using a phone. For the record, no computer or browser is needed at all.

To be continued.

 

 

Observations lead to discoveries,

Observations

Last year I made a switch to another mail provider. In order to get the mail in the right inbox I had to change my email address for many accounts. Administration is not one of my favourite things.

To make a start, I chose the most frequently used accounts. I logged in for one account. Using my email address and password. The obvious way to update my email address was to go to the Settings or Account section of my account.

I found my old email address waiting for an update. So, what was I waiting for? I changed the email address and got a message, that a verification mail was sent to my new email address. I already checked the entered email address twice. What was the need for verification?

Time to watch the inbox of my new email account. And yes, there was an email with a link to verify that the email address actually existed. That sounded logical to me. I clicked the link and then things changed.

In my inbox of my old mail account, I got a message, that my email address was changed. That was quite polite.

As a tester I found a security hole. Again.

Discoveries

Naming the terms

If someone else would post something bad on my social media account, them this could lead to reputation damage. If someone else orders something on my shopping account, then I would lose money.

In the case someone else has the user id and the password to an account of me, then account takeover has taken place. That is something I would like to avoid.

In the world of technology it takes a lot of time and energy to make a product or app, which is better than the competing products or apps. In certain cases, it is possible to look at parts of an existing product and figuring out, how it works.

A program is a system, which contains instructions for the computer to do certain tasks. Why should I not use reverse engineering for a cyber security attack. It is just a list of steps.

Using my observations, I could make a test idea for an account takeover.

Naming the condition’s

As a tester I have to look at security. If I use my observations, how would I do an account takeover. In other words, how do I reverse engineer an account takeover?

Sketching a test idea

Here is a rough description to take over an account.

If a laptop is not locked and an account has been opened, then change the email address in the Settings or Personal information section.

Open the verification mail in the mailbox of the new mail address and folow the instructions.

If the mail with mail address change is sent to the inbox of the old email adress , remove it in the inbox. Then remove the mail in the Trash.

Later, go to the Login Page, press on the link ‘Password forgotten’, and follow the instructions.

The account has a new user id and new password. The account has been taken over.

Recommendations for the user

Log out or lock the laptop, if you leave it alone.

Check your accounts regularly.

Open only accounts, if needed.

Use two factor authentication.

Looking forward

In the next blog post I will describe a situation with high level of security and appropriate measures.

To be continued.