Lately I’ve been spending time researching weaknesses and attack vectors in password reset options. At BSides Las Vegas I presented a tool called “Ransombile”. It automates the password reset process over SMS for many Alexa top 100 websites and facilitates targeted attacks when having physical access to locked mobile devices for a short period of time. I’ve also talked about the wide impact of compromising voicemail systems at DEF CON and CCC by abusing password reset over phone calls.
While working on these topics, I spent many hours testing and resetting passwords in various different websites. At some point, I started noticing a pattern I hadn’t noticed before. When you want to reset a password, you enter the email and are then presented with different options. Those usually include receiving an email with a unique link to click on, getting an SMS with a secret six digit code or even the option to receive a call and hear the secret code instead.