2008-02-29

Hijacking a Big U network account

I could not really imagine that there is too much worth reading in the average Big U e-mail account but here is how you can easily hijack one, as well as the user account for the same person - letting you, potentially cavort around the Big U intranet as that user. All you need to know is the person's username, say ALBERTE - which Big U, contrary to all the usual advice, also uses as the e-mail prefix, e.g. ALBERTE@bigu.ac.zw.
  1. Send an e-mail to the ICT helpdesk, asking for the password for ALBERTE to be reset. Use any e-mail account whatsoever to send this message! The reason that ICT-help will not find this unusual at all is that they only except password reset requests by e-mail. Since the lame network of Big U requires passwords to be changed on a monthly basis, they get a lot of requests for resets and ALL of these requests originate from some e-mail address different from that which they have to reset, of course. They apparently cannot require that these requests originate from the user's own e-mail address because either (i) they haven't thought of it; or (ii) most users don't have a separate e-mail password or have never used a computer other than their own.
  2. Wait a few minutes for the reset password - often "password" - to arrive.
  3. Log in the victim's user account. If they have no separate e-mail password, this will probably give you access to their e-mail as well.
  4. Don't worry. The victim does not receive a copy of the password reset request or of the reset password. They will log on the next time and probably assume that they have forgotten their brand new password from last week and request a new one. This behaviour will confirm ICT-help's conviction that the user ALBERTE is an idiot and that they should keep on doling out reset passwords.
Needless to say, criminal minds will probably want to do this after having verified that the target has gone home for the weekend, so as to have a day or two to play around. I have never done this for any other than my own account, but for that it has worked very well. Big U, by the way, has disabled IMAP accounts on the advice of their (Microsoft) consultants who believe IMAP to be an unacceptable security risk. Huh?

[Apologies to Neil Stephenson for hijacking the title of his first published novel, The Big U.]

Useful links:

http://en.wikipedia.org/wiki/Social_engineering_%28security%29
http://en.wikipedia.org/wiki/The_Big_U

1 opmerking:

Petrus Potgieter het gesê...

Needless to say, the reason why this "attack" is so obvious and easy is that the username (being the e-mail ID) is absolutely public knowledge. The problem with this can hardly be over emphasised.