Jul 6, 2013

Break in using the "signup key"

Today I read several reports about a break in technique that attackers used to compromise user accounts of several large online companies. Two of them, for example, are Facebook and Dropbox. I read also about others because I was interested if there are more cases like this.

The general idea is that the service gives you, a legitimate user, a chance to change access to your account by sending you a link with a profile id and a certain key, which looks like 27934e96d90d06818674b98bec7230fa (this particular key is not random, if you search for it, you will find another interesting information to educate yourself). Next the code takes the key, searches the database for the key. If the key exists, it signs-up/resets/resends/does-whatever-else-to-give-you-the-access to the profile identified by the profile id in the link.

Can you spot the problem in this logic?

The code checks that the key exists but it does not check that it belongs to the profile in question. So if you got the key, you can reset anyone's password and get access to his account only by using a different profile id. This seems like an obvious error. Yet the programmers of many large companies fail to see it and implement the "reset" functionality correctly.

Now you know what to avoid in your implementation. Are you running to patch your code already? You should!

1 comment:

  1. Unbelievable, is it really true for FB & DB ? When I'm doing such mechanism, I'm putting an additional column to each user, so the secret token is stored per user, not globally.

    ReplyDelete