Category Archives: Secure things

Secure things

Reverse Engineering an Account Takeover or what I discovered while updating my email address – part 1

Observations lead to discoveries,

Observations

Last year I made a switch to another mail provider. In order to get the mail in the right inbox I had to change my email address for many accounts. Administration is not one of my favourite things.

To make a start, I chose the most frequently used accounts. I logged in for one account. Using my email address and password. The obvious way to update my email address was to go to the Settings or Account section of my account.

I found my old email address waiting for an update. So, what was I waiting for? I changed the email address and got a message, that a verification mail was sent to my new email address. I already checked the entered email address twice. What was the need for verification?

Time to watch the inbox of my new email account. And yes, there was an email with a link to verify that the email address actually existed. That sounded logical to me. I clicked the link and then things changed.

In my inbox of my old mail account, I got a message, that my email address was changed. That was quite polite.

As a tester I found a security hole. Again.

Discoveries

Naming the terms

If someone else would post something bad on my social media account, them this could lead to reputation damage. If someone else orders something on my shopping account, then I would lose money.

In the case someone else has the user id and the password to an account of me, then account takeover has taken place. That is something I would like to avoid.

In the world of technology it takes a lot of time and energy to make a product or app, which is better than the competing products or apps. In certain cases, it is possible to look at parts of an existing product and figuring out, how it works.

A program is a system, which contains instructions for the computer to do certain tasks. Why should I not use reverse engineering for a cyber security attack. It is just a list of steps.

Using my observations, I could make a test idea for an account takeover.

Naming the condition’s

As a tester I have to look at security. If I use my observations, how would I do an account takeover. In other words, how do I reverse engineer an account takeover?

Sketching a test idea

Here is a rough description to take over an account.

If a laptop is not locked and an account has been opened, then change the email address in the Settings or Personal information section.

Open the verification mail in the mailbox of the new mail address and folow the instructions.

If the mail with mail address change is sent to the inbox of the old email adress , remove it in the inbox. Then remove the mail in the Trash.

Later, go to the Login Page, press on the link ‘Password forgotten’, and follow the instructions.

The account has a new user id and new password. The account has been taken over.

Recommendations for the user

Log out or lock the laptop, if you leave it alone.

Check your accounts regularly.

Open only accounts, if needed.

Use two factor authentication.

Looking forward

In the next blog post I will describe a situation with high level of security and appropriate measures.

To be continued.

Secure things

The Art of Mail Filtering 3.0

Some mails are good, some bad.

The Incident

While I was looking through my emails, I briefly scanned them. This one contained commercial stuff and I put it into the waste bin. Another one promised health benefits and it ended at the same spot. One mail contained a notification of a package delivery.

I went through my short list of checks. The mail looked familiar.  I recognised the fonts and the lay out. Then I read some parts of the mail. The language was flawless. Dutch is not an easy language to learn. I took a good look to the email address. It had a domain of a respectful package delivery service.

There was one thing wrong with this mail. I had not ordered anything. So, I did not click on the track and trace link. This might load some malware on my computer. Then I decided to park this mail in another folder for later action.

The Debrief

That very evening, I had a talk with my wife. After talking about the daily subjects, I told her about this strange notification mail of a package delivery. Then I got a surprising answer:
“I ordered something and I did not hear anything about it.”

The Sting

Of course, I knew that my wife has some good skills like baking bread. But baking is different from hacking. At that moment I had not even time to think along these lines, because she added:
“I used my email address.”

This answer triggered my thought process. She had ordered something at my favourite online shop. Then the shop had to send mails about package delivery to my wife. There was already an account on her home address and that was my account.

The mails were sent to the emails address of my account. This way I got a suspicious mail.

The Story

My wife was searching for a gift and found it in my favourite shop. She wanted to surprise me and wanted to have it delivered, when I was from home. This way, the surprise would be big. There was one thing she could not have predicted, and that was the actual email address, which would be used.

The Hot Fix

During our talk, my wife figured out a solution for this problem:
“The next time, I sent it to my friend.”

Privacy, Retelling, Secure things

Minimal Viable Authentication: usability versus security

Trigger warning: stalking.

For the following stories I am using the imaginary VIP Cinema again instead of the real app. This way I can freely write about my experiences without naming the actual app.

Usability is king

The VIP Cinema app offered his clients a discount for parking. This service appealed to me. So, I contacted the customer service and got a power of attorney number. On request I had to mention the number to get my promised discount of 50 percent on parking.

After a while I wanted to reserve my parking without calling the customer service. There was a simple solution: a parking app. I installed the app and had to register. The first thing I did, was to have my power of attorney number ready.

The next step was to enter my email address and a password. Then I had to verify it by clicking on a link in an email. A dialog asked for my membership number of the Cinema VIP App. Then I opened the app and found the number.

I received an email to verify my email address for the parking app. After clicking a link, I had to enter my VIP Cinema membership number. The next moment I could reserve a parking place for my car without entering my power of attorney number.

The registration was smoothless and it saved me an extra step of entering another number. I really liked this experience.

Security is pauper

”I want to show something to you.”, I told another computer software professional.
“Here is my mobile. The Cinema VIP app is open and shows my membership number.”
I got a nod.

“Now I am going to the website to register a new user id and password for the parking website.”
Another nod followed.

This looks familiar

Then I entered a new email address and password. After clicking the link in the mail to verify my email address I asked him for my membership number. While he was citing the number, I entered it in the requested text field in the dialog,

 “Let us see what kind of information we can get based on this single number.
You can see where I live. This information is needed for billing.“

Worth noting

“Let’s have a look at my parking history. This is the parking I used every other week. This is an interesting pattern. Last week I parked there. So next Friday I will probably park the car there at 7 pm.”

Let me guess

“There is a high chance, that I visit a cinema close to this parking. The discount is offered by the Cinema VIP app. Notice that no power of attorney number was asked. This would improve the security.”

All that being said

“Even worse: I did not get an email that another account was coupled to my parking account. I refreshed my inbox: no mail was found about the double registration.

Certain social media apps inform me directly, if my account is accessed from an unknown device. But this was not the case for this app.”

This time I did not get a nod, but an astonished face.

Signals of poverty

When I phoned the customer service of the parking service, no power of attorney number was requested.

During this phone call there was a check of my birthday, my zip code, and my house number. These can be obtained using social engineering or extracting private information without getting attention.

This I Learned

Authentication is about making sure that the right person gets access. Some shortcuts can have severe drawbacks.