Wednesday, July 5, 2017

Beware sites asking for registration


Hackers are using innocent looking site to perform a clever attack that can take control of your account in other online services, even if you have complex passwords and even 3-factor authentication enabled.

The technique is frighteningly simple, and consists on luring the victim to a site you might be willing to register - shouldn't be that hard, by promising something like a free app or some sort of unique content. The trick is that the registration process on this site will actually be replicating the password recovery process of the site the hackers are interested in.

That is, when the user fills in his email, the malicious website will, in the background, tell Google it wishes to recover the password for that user. From then on, they'll simply forward all the questions Google may ask as if it were part of the registration process on the other site. The technique allows you to overcome all forms of security that may exist, and it may even go unnoticed for users that may fail to realize incoming SMS (should they have 2-factor authentication enabled) are for other service.

This is why you should never, ever, use the usual recovery questions such as "preferred color / mother's name / etc." If a site does ask for it, fill it with a completely random password. This would prevent such an attack from working, as your answer in a new site wouldn't allow anyone to recover your account on another site.


I think it's time for more sites to simply use the password-less system, where they email you a link with a temporary access token. You simply enter your email, click on the link you receive, and no more worries about passwords/recovery/etc.

No comments:

Post a Comment

Related Posts with Thumbnails

Amazon Store