Weak Password Recovery Validation

WHID 2006-14: Forgotten password clues create hacker risk

A UK Security Consulting firm reports that 54 UK sites that it has surveyed have flaws in the "forgotten password" feature.

Additional information:

Forgotten password clues create hacker risk [The Register, Mar 20 2006]

Attack Method:

Weak Password Recovery Validation

Incident Outcome:

Disclosure Only

WHID 2005-5: Paris Hilton's T-Mobile online account hacked

Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic

Additional information:

Attack Method:

Insufficient Authentication

OS Commanding

Weak Password Recovery Validation

WHID 2003-3: User passwords could be stolid in Microsoft's Passport service

Additional information:

Microsoft faces huge fine over security [Zdnet, May 9 2003]
Microsoft Patches .NET Passport Hole [AnyNetwork, May 8 2003]

Attack Method:

Weak Password Recovery Validation

Incident Outcome:

Disclosure Only

WHID 2005-32: Weak password recovery on Citrix's site

Weak password recovery procedure at Citrix

Additional information:

Example of the worst passwd recovery interface [WebAppSec mailing list, Aug 3 2005]

Attack Method:

Weak Password Recovery Validation

Incident Outcome:

Disclosure Only

Weak Password Recovery Validation

WHID 2006-14: Forgotten password clues create hacker risk

WHID 2005-5: Paris Hilton's T-Mobile online account hacked

WHID 2003-3: User passwords could be stolid in Microsoft's Passport service

WHID 2005-32: Weak password recovery on Citrix's site

Science or Religion?

Further Research

Presentations

You are here

Weak Password Recovery Validation

WHID 2006-14: Forgotten password clues create hacker risk

WHID 2005-5: Paris Hilton's T-Mobile online account hacked

WHID 2003-3: User passwords could be stolid in Microsoft's Passport service

WHID 2005-32: Weak password recovery on Citrix's site

Science or Religion?

Further Research

Presentations