Abstract—Wepresent the password reset MitM (PRMitM) attack and show how it can be used totake over user accounts. The PRMitM attack exploits the similarity of theregistration and password reset processes to launch a man in the middle (MitM)attack at the application level. The attacker initiates a password resetprocess with a website and forwards every challenge to the victim who eitherwishes to register in the attacking site or to access a particular resource onit.
摘要-我们提供密码重置MitM(PRMitM)攻击并显示如何使用它来接管用户账号。PRMitM攻击利用注册和密码重置过程的相似性,在应用程序级别启动中间人(MitM)攻击。攻击者通过网站启动密码重置过程,并将每一个挑战转发给想要在攻击性网站上注册或访问其上的特定资源的受害者。
The attack hasseveral variants, including exploitation of a password reset process thatrelies on the victim’s mobile phone, using either SMS or phone call. Weevaluated the PRMitM attacks on Google and Facebook users in severalexperiments, and found that their password reset process is vulnerable to thePRMitM attack. Other websites and some popular mobile applications arevulnerable as well.
攻击有好几种变化,包括利用受害者的移动电话利用短信或电话的密码重置过程。我们在几次实验中评估了Google和Facebook用户的PRMitM攻击,发现他们的密码重置过程容易受到PRMitM攻击。其他网站和一些流行的移动应用程序也一样很脆弱。
Althoughsolutions seem trivial in some cases, our experiments show that thestraightforward solutions are not as effective as expected. We designed andevaluated two secure password reset processes and evaluated them on users ofGoogle and Facebook. Our results indicate a significant improvement in thesecurity.
尽管在某些情况下解决方案看起来微不足道,但我们的实验表明,简单的解决方案并不像预期的那样有效。我们设计和评估了两个安全的密码重置流程,并对Google和Facebook的用户进行了评估。我们的研究结果表明安全性有了显着的提高。
Since millionsof accounts are currently vulnerable to the PRMitM attack, we also present alist of recommendations for implementing and auditing the password resetprocess.
目前数百万的账号容易受到PRMitM攻击,我们还因此提供了实施和审计密码重置流程的建议清单。
A password isthe primary and most popular mechanism for account protection. Users ofweb-services all use passwords to prevent unauthorized parties from accessingtheir accounts. For decades, this key role of passwords in the security worldhas attracted many hackers and security researchers.
密码是账号保护的主要和最受欢迎的机制。网络服务的用户都使用密码来防止未经授权的人访问他们的账户。几十年来,密码在安全领域的重要作用已经吸引了许多黑客和安全研究人员。
The firstcomputers had no need for passwords, and physical obstacles were the onlysecurity countermeasures. The need for passwords appeared with the rise ofshared environments. Initially, passwords were saved in plain text. The firstcases of password theft introduced the need for other solutions, such as usingencryption, hashing, and salt.
第一台电脑不需要密码,物理障碍是唯一的安全对策。随着共享环境的兴起,对密码的需求也随之出现了。最初,密码以纯文本保存。第一种密码盗窃案引起了对其他解决方案的需求,如使用加密,哈希和盐。
Despite theimprovements in secure password storage techniques, attackers still hackdatabases and get information about users and their hashed passwords. Theattackers then try to break the passwords offline using classical attacks likebruteforce or dictionary attacks.
尽管安全密码存储技术有所改进,但攻击者仍然窃听数据库并获取有关用户及其散列密码的信息。然后攻击者尝试使用经典的攻击(如暴力破解或字典攻击)来破解密码。
Even the mostsecure password storage will not help a user who chooses a weak password.Unfortunately, many users tend to choose easy to remember but also easy toguess passwords. To prevent users from making this kind of mistake, manywebsites force their users to use strong passwords, or at least give them anindication about the strength of their password. Enforcing strong passwords byapplying restrictions to the user passwords and providing indications about thestrength of the password were shown to be effective. In addition to the strongpassword requirement, web-services such as banks, which allow sensitive operations,often force their clients to change their passwords frequently. Choosing astrong password and ensuring it is securely stored are imperative tomaintaining account security. However, these efforts are not worth much if thepassword reset process is vulnerable to attacks.
即使是最安全的密码存储也不能帮助选择弱密码的用户。不幸的是,许多用户倾向于选择容易记住,但也容易猜测密码。为了防止用户犯这样的错误,许多网站强制用户使用强密码,或者至少给他们一个密码强度的指示。通过对用户密码施加限制并提供关于密码强度的指示来执行强密码是有效的。除了强大的密码要求之外,诸如允许敏感操作的银行等网络服务通常迫使他们的客户经常更改密码。选择一个强大的密码并确保其安全存储对维护账号安全至关重要。但是,如果密码重置过程容易受到攻击,这些努力就是不值得的。
The fact thatmany users tend to forget their passwords has raised the need for passwordreset mechanisms. Paradoxically, the security requirements for choosing strongunique passwords and periodically replacing them, only makes passwordforgetting more common. Today, most of the websites with a password-based loginsystem allow users to reset a lost password.
许多用户倾向于忘记密码的事实提出了密码重置机制的需要。矛盾的是,选择强大的唯一密码并定期更换它们的安全要求,只会使忘记密码变得更为常见。今天,大多数具有密码登录系统的网站都允许用户重置丢失的密码。
Passwordresetting is a challenging process. The website needs to ensure that the usercan prove her identity without that password. Most websites rely on the emailaddress of the victim, e.g., by sending a reset password link to the emailaddress that was used to register the website account. However, this becomesmuch more challenging for the very important websites that provide the emailservices.
密码重置是一个具有挑战性的过程。网站需要确保用户可以在没有密码的情况下证明自己的身份。大多数网站依靠受害者的电子邮件地址,例如,通过向用于注册网站账户的电子邮件地址发送重置密码链接。但是,对于提供电子邮件服务的非常重要的网站而言,这变得更具挑战性。
Websites thatcannot reset passwords via email address, and websites that support cases inwhich the user lost access to a registered email account, offer alternativeways to reset the password. These websites use security questions or othercommunication channels such as mobile phone to authenticate the user before shereceives the option to reset her password.
无法通过电子邮件地址重置密码的网站以及支持用户无法访问已注册电子邮件账号的网站,提供了重置密码的其他方法。这些网站在收到重置密码的选项之前,使用安全问题或其他通信渠道(如手机)对用户进行身份验证。
This papershows that existing password reset processes in many popular websites arevulnerable to attacks by a weak attacker. In particular, we characterize,research, and evalute a new attack, which we call password resetman-in-the-middle (PRMitM).
本文表明,现有的密码重置过程在很多热门网站都容易受到弱势攻击者的攻击。特别是,我们描述,研究和评估一种新的攻击,我们称之为密码重置中间人(PRMitM)。
In a basicPRMitM attack, a user accessed the website of an attacker to get a resource,e.g., free software. The attacker requires the user to login for free in orderto access the resource. During the registration process, or via othercross-site attacks, the attacker gets the email address of the victim. Then, onthe server side, the attacker accesses the email service provider website andinitiates a password reset process. The attacker forwards every challenge thathe gets from the email service provider to the victim in the registrationprocess. In the other direction, every ”solution” that is typed by the victimin the registration process is forwarded to the email service provider. Thatway, the cross-site attacker is actually a man in the middle of a passwordreset process.
在基本的PRMitM攻击中,用户访问攻击者的网站以获取资源,例如免费软件。攻击者要求用户免费登录才能访问资源。在注册过程中,或通过其他跨站点攻击,攻击者获取受害者的电子邮件地址。然后,在服务器端,攻击者访问电子邮件服务提供商网站并启动密码重置过程。攻击者在注册过程中将从电子邮件服务提供商处获得的每一个挑战转发给受害者。另一方面,在注册过程中受害者输入的每个“解决方案”都会被转发给电子邮件服务提供商。这样,跨站点攻击者实际上是一个在密码重置过程中的人。
Some of thechallenges the attacker may come up against when he tries to reset a user’spassword are CAPTCHA challenges, security questions, and code that is sent tothe mobile phone. Figure 1 illustrates a basic PRMitM attack.
攻击者在尝试重置用户密码时遇到的一些挑战是CAPTCHA的挑战,安全问题以及发送到手机的代码。图1展示了一个基本的PRMitM攻击。
Counterintuitively,websites that rely only on sending password reset message code to the user’smobile phone are sometimes more vulnerable to the attack. This is because theattacker can launch the PRMitM attack on them even in scenarios that are simplerthan registration to a website.
违反直觉的是,仅仅依靠向用户的手机发送密码重置消息代码的网站有时更容易受到攻击。这是因为攻击者即使在比注册网站更简单的情况下也可以对其进行PRMitM攻击。
We explore andanalyze the different password reset SMS messages sent by popular websites totheir users as well as password reset using phone calls.
我们探索并分析了受欢迎的网站发送给用户的不同密码重置SMS消息以及使用电话重置密码。
We surveyed thepassword-reset mechanism of the most popular websites and of other popularemail service providers, and analyzed how vulnerable they are. Our findingsshow that popular websites are vulnerable to PRMitM attacks, some of them veryseverely.
我们调查了最受欢迎的网站和其他受欢迎的电子邮件服务提供商的密码重置机制,并分析了它们的脆弱性。我们的调查结果显示,受欢迎的网站很容易受到PRMitM攻击,其中一些非常严重。
For example, wefound that Google, the most popular website in the world, is extremelyvulnerable to PRMitM attacks that exploit Google password reset using a phonecall. We also evaluated the PRMitM attack using SMS messages on Facebook, theworld’s second most popular website. Beyond Google and Facebook, we foundvulnerabilities in Yahoo!, LinkedIn, Yandex and other email services. We alsodiscovered additional problems that occur in other websites and analyzed PRMitMvulnerabilities in mobile messaging applications like Whatsapp and Snapchat.
例如,我们发现世界上最受欢迎的网站Google非常容易受到PRMitM攻击,这些攻击利用Google通过电话重置Google密码重置。我们还使用全球第二大网站Facebook上的短信评估了PRMitM攻击。除Google和Facebook之外,我们发现了Yahoo!,LinkedIn,Yandex和其他电子邮件服务中的漏洞。我们还发现了其他网站出现的其他问题,并分析了WhatsApp和Snapchat等移动消息应用程序中的PRMitM漏洞。
Beyond thesurprisingly high number of vulnerable popular services, our findings includeseveral problems, some of them surprising, that have not considered before inthe design of secure password-reset process:
除了令人惊讶的大量易受攻击的流行服务之外,我们的研究结果还包括一些令人惊讶的问题,这些问题在设计安全密码重置过程之前没有考虑过:
1) Informativepassword-reset messages do not prevent exploitation of users, mainly becausemany users ignore the text and just copy the code.
2) Users mightbe vulnerable to the attack, depending on their language settings. This iseither due to difference in the content of password-reset messages in differentlanguages or due to services that provide services in several languages, butsend password-reset messages in another language.
3) The PRMitMattack can be used to take over accounts of very popular websites (e.g.,Facebook) given minimal information about the user (e.g., phone number only).This allows easy exploitation in additional scenarios (not registration).
1)提供信息的密码重置消息不妨碍用户的使用,主要是因为许多用户忽略了文本,只是复制了代码。
2)用户可能容易受到攻击,这取决于他们的语言设置。这可能是由于不同语言的密码重置消息的内容不同所致,也可能是由于以多种语言提供服务的服务,而是以其他语言发送密码重置消息。
3)PRMitM攻击可以用于接收非常受欢迎的网站(例如,Facebook)的账号,给出有关用户的最少信息(例如,仅电话号码)。这允许在其他情况下(不注册)容易利用。
As existingdesigns of password-reset processes are vulnerable, we designed secure passwordreset processes using SMS and phone calls. We then evaluated theireffectiveness on real Facebook and Google users with excellent results, mainlycompared to the poor results achieved by their current mechanisms. We summarizeour work with a list of recommendations for testing and improving the securityof password reset processes in many websites.
由于密码重设过程的现有设计是脆弱的,我们设计了使用SMS和电话的安全密码重置过程。然后,我们评估了他们在真实Facebook和Google用户上的有效性,主要与他们现有机制所取得的糟糕成果相比,效果很好。我们总结了我们的工作,并列出了许多网站上测试和改进密码重置过程安全性的建议。
A.Contributions
We make thefollowing contributions: 1) Introduce the PRMitM attack, a new attack thatexploits bad design of password-reset process in websites and applications. 2)Evaluate the PRMitM attack on Google and Facebook, the two most popularwebsites in the world. 3) Review the password reset processes of many popularwebsites and comparing the different approaches. 4) Explore further andidentify similar vulnerabilities in popular mobile applications. 5) Designsecure password reset processes using SMS and phone calls, and evaluate of themon Google and Facebook users. This was necessary, as our experiments indicatedthat in some cases, the straightforward solutions are not effective enough (seeExperiment 2). 6) List recommendations for the secure design of the passwordreset process. Following the number of popular websites affected, this list iscritical for quickly patching the vulnerabilities.
A贡献
我们做出如下贡献:1)引入PRMitM攻击,这是一种利用网站和应用程序中密码重置过程的不良设计的新攻击。2)评估世界上最受欢迎的两个网站Google和Facebook上的PRMitM攻击。3)回顾许多热门网站的密码重置过程,并比较不同的方法。4)进一步探索和识别流行移动应用程序中类似的漏洞。5)使用短信和电话设计安全的密码重置流程,并在Google和Facebook用户上进行评估。这是必要的,因为我们的实验表明,在某些情况下,简单的解决方案不够有效(见实验2)。6)列出密码重设过程安全设计的建议。在受影响的受欢迎的网站数量之后,此列表对于快速修补漏洞至关重要。
Our work hasalready helped several popular services improve the security of their passwordreset process. We believe it will help many other websites protect their users.
我们的工作已经帮助了一些流行的服务来提高密码重置过程的安全性。我们相信这将有助于许多其他网站保护他们的用户。
B.Organization
We begin with adescription of the adversary model in Section II; this section also includes asurvey that justifies the practicality of this model. In Section III, wedescribe the basic PRMitM attack. In Sections IV and V, we present and evaluatePRMitM attacks on password reset processes using SMS and phone-calls,respectively. Section VI shows that the PRMitM attack can also be launched onsome mobile applications. Section VII presents possible defenses and evaluatesthem, and Section VIII discusses related work. The last two sections summarizeour findings in a list of recommendations that can be used by websites to testand improve their password reset processes.
B.组织结构
我们首先描述第二节中的对手模型;这部分还包括一个调查,证明这种模式的实用性。在第三节中,我们描述了基本的PRMitM攻击。在第四部分和第五部分,我们分别介绍和评估PRMitM攻击的密码重置过程,分别使用短信和电话。第六部分显示,PRMitM攻击也可以在一些移动应用上启动。第七节提出可能的辩护并进行评估,第八节讨论相关工作。最后两节将我们的发现总结在一个可以被网站用来测试和改进密码重置过程的建议列表中。
C.Ethics
Our instituteshave no ethics committee. Nevertheless, we followed common sense and advicefrom experts to conduct the research ethically.
We reported ourfindings to the vulnerable vendors. Vendors that are severely vulnerable to thePRMitM attack, either fixed the vulnerability (Snapchat, Yahoo!) or informed usthat they plan to fix the vulnerability (Google, LinkedIn and Yandex). Otherwebsites, which are less vulnerable (e.g., Facebook) thanked us, and told usthey will consider using our findings in the future, but they do not plan toapply fixes soon.
In theexperiments we conducted, we avoided accessing information we did not get fromthe participants in advance. We also did not take over their accounts or changeanything in their accounts. Additionally, we did not keep any privateinformation beyond the final results (e.g., attack has succeeded or not).
C.道德
我们的研究所没有道德委员会。不过,我们遵循专家的常识和建议进行道德研究。
我们向弱势供应商报告了我们的发现。严重受到PRMitM攻击的厂商要么修复漏洞(Snapchat,Yahoo!),要么告知我们他们计划修复漏洞(Google,LinkedIn和Yandex)。其他不易受到攻击的网站(例如Facebook)感谢我们,并告诉我们他们将在未来考虑使用我们的调查结果,但他们不打算很快应用修复。
在我们进行的实验中,我们避免了提前获取参与者提供的信息。我们也没有接管他们的账户,也没有改变他们的账户。此外,我们没有保留任何私人信息超出最终结果(例如,攻击成功与否)。
D.Methodology Challenges andLimitations
This paperpresents a set of attacks and evaluates them on different settings. Althoughthe attack exploits vulnerability in the design of the password-reset process,the attack includes interaction with users. Hence, extensively rely on userstudies and surveys. Totally, 536 participants took part in the surveys and theexperiments that were done in this research; each of them participated only inonce experiment or survey.
本文提出了一系列攻击并在不同的环境下进行评估。尽管攻击利用了密码重置过程设计中的漏洞,但攻击包括与用户的交互。因此,广泛依靠用户研究和调查。共有536人参加了本次调查和实验,他们每个人只参加一次实验或调查。
The need ofmany participants for both the surveys and the experiments was a technicalchallenge for us. Moreover, the nature of most of the experiments made thischallenge becomes even harder. As our experiments simulate versions of thePRMitM attack, we preferred to rely on volunteers that will feel free to leavethe experiment at any step. If participants get money, they might feelobligated to complete the experiment.
许多调查和实验需要的参与者都是我们的技术挑战。而且,大多数实验的性质使得这一挑战变得更加困难。由于我们的实验模拟了PRMitM攻击的版本,我们更愿意依靠志愿者,随时随地离开实验。如果参与者获得金钱,他们可能觉得有义务完成实验。
Like many otherresearches on related topics like phishing and password security, e.g., wedecided to rely on students from our institute. Although it is preferred toconduct larger user studies also on other populations, like other researchers,we believe that conducting all the experiments and the surveys with studentsgives good and reliable results that are relevant also for other populations.Other alternatives like Amazon Mechanical Turk workers (which is not availablein our country) are not better, as there are many common characteristics to theusers there.
像其他许多有关钓鱼和密码安全等相关主题的研究一样,我们决定依靠我们学院的学生。虽然与其他研究人员一样,也希望对其他人群进行更大的用户研究,但我们认为,与学生一起进行所有的实验和调查都会给出与其他人群相关的良好可靠的结果。像亚马逊土耳其机械工人(在我们国家没有)的其他替代方案并不是更好,因为那里的用户有很多共同的特征。
Except of theages of the students that were used to make sure that all the participants areadults, we did not collect any private information about the participants, aswe did not think that this is necessary for the results. Of course, all theparticipants are required to be web users; otherwise, they cannot be used toevaluate the situations discussed in this paper. Like in most of thedepartments in our institute, the ages of the students in all the experimentsranged between 18 and 35, almost uniformly.
除了用来确保所有参与者都是成年人的学生年龄以外,我们没有收集任何关于参与者的私人信息,因为我们认为这对于结果是不必要的。当然,所有参与者都必须是网络用户,否则,不能用来评估本文讨论的情况。与我所大部分院系一样,所有实验的学生年龄在18-35岁之间,差不多一致。
To launch aPRMitM attack, the attacker only needs to control a website; no MitM oreavesdropping capabilities are required. The attacker attacks visitors of hiswebsite and takes over their accounts in other websites. This is similar tocross-site attacks like cross-site scripting, cross-site request forgery, andclickjacking. We extend the discussion on the differences from cross-siteattacks and from phishing in Section II-B.
为了发起PRMitM攻击,攻击者只需要控制一个网站;不需要MitM或窃听功能。攻击者攻击他的网站的访问者,并接管其他网站的账号。这类似于跨站点脚本攻击,跨站点请求伪造和点击劫持等跨站点攻击。我们将在第II-B部分讨论跨站点攻击与网络钓鱼的区别。
In order toinitiate the password reset process for a website in the name of the victim,the attacker needs basic pieces of information; these include items such asusername, email, or phone number. This information can be extracted from thevictim by the attacker during a registration process to the attacking website(Section III) or before some operations like file download, when the victim isrequired to identify herself using her phone.
为了以受害者的名义启动网站的密码重置过程,攻击者需要一些基本信息;这些包括用户名,电子邮件或电话号码等项目。攻击者在攻击网站的注册过程中(第三部分)或者在文件下载等操作之前,可以从受害者身上提取这些信息,当受害者被要求使用手机识别自己时。
For somewebsites, the attacker may be able to use cross-site attacks such as cross-sitescripting, cross-site script inclusion, or newer techniques to gather detailsabout the user. However, the use of these techniques implies restrictions,e.g., the user must be logged into the attacked website (see below for moredetails).
对于某些网站,攻击者可能能够使用跨站点攻击,例如跨站点脚本,跨站点脚本包含或更新的技术来收集有关用户的详细信息。 然而,这些技术的使用意味着限制,例如,用户必须登录到攻击的网站(更多细节见下文)。
In addition toa visit to the attacker’s website, the attacking page has to lure the victimsinto registering or inputting their phone number to get a code. To do that, theattacker can apply known and common methods. For example, the attacker cancreate a website that offers (or claims to offer) free services, e.g.,streaming or files download. The website can require basic authentication(prove you are not a bot) before accessing some or all the services or torestrict them only for registered users. Section II-A shows that thisrequirement is reasonable.
除了访问攻击者的网站,攻击页面还必须引诱受害者注册或输入他们的电话号码以获取代码。为此,攻击者可以应用已知和常用的方法。例如,攻击者可以创建一个网站,提供(或声称提供)免费服务,例如流媒体或文件下载。在访问部分或全部服务之前,网站可能需要进行基本身份验证(证明您不是机器人),或者仅限于注册用户。第二节-A显示这个要求是合理的。
A.Personal Details in UnknownWebsites
Our attack isbased on the assumption that users will agree to register or to have a one-timecode sent to their phone in order to enjoy services online. Although it will begood for attacking website to provide valuable services to attract potentialvictims, in practice, the attacking website can only claim it is offering suchservices.
A.未知网站的个人信息
我们的攻击是基于这样的假设:用户将同意注册或者将一次性代码发送到他们的电话以在线享受服务。攻击网站虽然有利于提供有价值的服务来吸引潜在的受害者,但在实践中,攻击性网站只能宣称提供这种服务。
To test thisassumption we conducted an anonymous survey among students in our institute. Inthe short survey, we asked participants whether they would agree to eitherregister to a website or prove they are human using their phone or both theoptions, in order to use common online services such as file downloads forfree.
为了验证这个假设,我们在我们学院的学生中进行了匿名调查。在简短的调查中,我们询问参与者是否同意注册网站或者使用手机认证,也可以两种情况都做,从而能够使用免费的文件下载等常见的在线服务。
Among 138participants, only 6 claimed they will never register for unknown websites orgive their phone number, no matter what free services are offered. Of theparticipants, 60.9% said they would agree to use both the options. Anadditional 27.5% would only agree to register, and the remaining 7.2% wouldonly agree to identify themselves using their phone.
在138名参与者当中,只有6人声称他们永远不会注册不知名的网站或给他们的电话号码,不管提供什么免费服务。 60.9%的受访者表示同意使用这两种方案。 另有27.5%的人只会同意登记,其余的7.2%只会同意使用电话表示身份。
These resultsstrengthen our assumption and show that the adversary model, in which victimsregister or authenticate themselves using their phones, reflects a commonsituation on the web.
这些结果加强了我们的假设,并显示了受害者使用手机注册或验证身份的对手模式反映了网络上的一种常见情况。
Some of ourcolleagues were surprised by the willingness of users to use their phonenumber. For ethical reasons, we could not create a website with attractivecontent, and a fake website would not do the job. Hence, we conducted asimulation with the participation of another 99 students.
我们有些同事对用户使用他们的电话号码的意愿感到惊讶。 出于道德原因,我们不能创建一个有吸引力的内容的网站,一个虚假的网站不会做这项工作。 因此,我们进行了一个模拟,另有99名学生的参与。
In thissimulation, we described a website that stores files and requires a valid phonenumber to download them. The verification is done via SMS code, and the user isonly required to insert his phone number.
在这个模拟中,我们描述了一个存储文件的网站,并且需要一个有效的电话号码来下载它们。 验证通过短信代码完成,用户只需要输入他的电话号码。
We asked theparticipants whether they would agree to insert their phone number to receivethe files in which they are interested. Of these, 39.4% said they would inserttheir phone number immediately, and 14.1% said they would first try to obtainthe files via friends or via online SMS services. An additional 18.2% percentsaid they would insert their phone number only if they really needed the files(rather than just wanting them). In total, 71.7% of the participants wouldagree to insert their phone number.
我们询问参与者是否同意输入他们的电话号码来接收他们感兴趣的文件。其中,39.4%表示会立即输入电话号码,14.1%表示会先通过朋友或在线短信服务获取文件。另有18.2%的受访者表示,只有在确实需要这些文件(而不是仅仅需要这些文件)时才会输入他们的电话号码。总共有71.7%的参与者同意输入他们的电话号码。
B.Comparison to Cross-SiteAttacks and Phishing
与跨网站攻击和网上诱骗的比较
Visiting amalicious page might expose the user to several attacks. If the browser or oneof its plugins has security bugs, an attacker could exploit these bugs to takeover the entire machine. However, finding such bugs is considered a difficulttask. Once a critical zero-day bug is discovered, it is quickly patched bypopular browser vendors such as Chrome and Firefox.
访问恶意页面可能会使用户受到多次攻击。如果浏览器或其中一个插件存在安全漏洞,攻击者可以利用这些漏洞来控制整个机器。然而,找到这样的错误被认为是一项艰巨的任务。一旦发现关键的零日漏洞,Chrome浏览器和Firefox等流行的浏览器厂商就会迅速修补这些漏洞。
Other riskscome from vulnerabilities in the websites themselves, although it is challengingto find security bugs in popular websites. An attacker who wants to take overan account using classical web attacks like XSS or CSRF, has to intenselyexplore each of its target websites. Without finding a vulnerability it is hardto know for sure whether the website is vulnerable or not. Unlike PRMitM, incross-site attacks users must also be authenticated to the attacked website.
其他风险来自网站本身的漏洞,尽管在热门网站上发现安全漏洞是一项挑战。 想要使用XSS或CSRF等传统网络攻击来占用账号的攻击者必须深入探索其每个目标网站。没有发现漏洞,很难确定网站是否易受攻击。与PRMitM不同的是,在跨站点攻击中,用户还必须对受攻击的网站进行身份验证。
On the otherhand, more interaction between the attacking page and the victim is required tolaunch PRMitM attacks. Unlike clickjacking and some XSS attacks, where only afew clicks are required, in PRMitM attacks, the victim is required to performan operation in the attacking page and to insert at least a single minimalcorrect piece of information about herself, e.g., a phone number.
另一方面,攻击页面和受害者之间需要进行更多的交互才能发起PRMitM攻击。与点击劫持和一些XSS攻击(只需要点击几次)不同,在PRMitM攻击中,受害者需要在攻击页面中执行操作,并输入至少一个关于自己的最小正确信息,例如电话数。
The need toinsert private information is similar to phishing attacks in websites. However,in phishing attacks, the attacking page impersonates a legitimate website andtricks the victim into inserting her credentials (username and password). In PRMitMattacks, the victim is only required to give personal information (e.g., phonenumber) that users agree to give in order to get some services (see SectionII-A).
输入隐私信息的需求与网站中的钓鱼攻击类似。但是,在网络钓鱼攻击中,攻击页面冒充合法网站并欺骗受害者输入她的凭证(用户名和密码)。在PRMitM攻击中,受害者只需要提供用户同意提供某些服务的个人信息(例如电话号码)(见第II-A部分)。
Sophisticatedphishing attacks might also follow similar application-level MitM approach toimitate legitimate websites or during the entire login process. Such a MitMapproach might overcome also 2-factor authentication schemes, as the victiminserts codes and passwords into the phishing website. Hence, one might missthe most significant difference between phishing and PRMitM attacks: thevulnerability itself. Namely, for each of the attacks, there is a differentanswer to the question what is being exploited?
复杂的网络钓鱼攻击也可能遵循类似的应用程序级MitM方法模仿合法网站或在整个登录过程中。这种MitM方法也可能克服双因素身份验证方案,因为受害者将代码和密码输入钓鱼网站。因此,可能会错过网络钓鱼和PRMitM攻击之间最重要的差异:漏洞本身。也就是说,对于每个攻击,对于被攻击的问题有不同的答案。
Phishingattacks exploit the users; there is no bug in the design of the attackedwebsite and the attacker exploits unwary users who ignore indications given tothem by the browsers. On the other hand, PRMitM attacks exploit bugs in thedesign of password-reset process.
网络钓鱼攻击利用用户;被攻击的网站的设计没有任何错误,攻击者利用忽略浏览器给予他们指示的粗心的用户。另一方面,PRMitM攻击利用密码重置过程设计中的缺陷。
The greatestchallenge of the phishing attacker is the impersonation to another website.Users with minimal understanding can detect phishing attempts by carefullychecking the site URL and whether HTTPS is on. Other anti-phishing solutionsmake the launch of phishing attacks harder also against other users. The PRMitMattack obviates the need for impersonation; it can be launched naturally fromevery website.
网络钓鱼攻击者最大的挑战是冒充另一个网站。了解最少的用户可以通过仔细检查网站URL和HTTPS是否开启来检测钓鱼攻击。其他反钓鱼解决方案也使得钓鱼攻击的发起更加困难。PRMitM攻击避免了冒充的需要;它可以从每个网站自然推出。
As the PRMitMattack exploits server-side design bug, depending on the severity of thevulnerability, there is no chance for the users and other client-side defenses(e.g., browser builtin mechanisms or extensions) to detect the attack. Table Isummarizes the comparison.
由于PRMitM攻击利用了服务器端设计漏洞,根据漏洞的严重程度,用户和其他客户端防御(例如,内置浏览器机制或扩展)不可能检测到攻击。表一总结了比较。
This sectiondescribes the basic password reset MitM (PRMitM) attack, and presents thechallenges and difficulties of the attacker. This section also surveys themechanisms used by popular websites during the password recovery process.
本节介绍基本的密码重设MitM(PRMitM)攻击,并介绍攻击者的挑战和困难。 本节还将对密码恢复过程中受欢迎网站使用的机制进行调查。
Password ResetMitM Attack 密码重置MitM攻击
The basicPRMitM attack exploits the similarity between the registration process and thepassword reset process. In both the processes, it is common to solve CAPTCHAchallenges, answer security questions, get a confirmation link to the email, orto type in a code that is sent to a phone number. Hence, the attacker can takechallenges from a password reset process of Our attack is based on theassumption that users will agree to register or to have a one-time code sent totheir phone in order to enjoy services online. Although it will be good forattacking website to provide valuable services to attract 253 a user, andpresent them to her as legitimate challenges during the registration process.
基本的PRMitM攻击利用注册过程和密码重置过程之间的相似性。 在这两个过程中,解决CAPTCHA挑战,回答安全问题,获得电子邮件的确认链接,或输入发送到电话号码的代码是很常见的。 因此,攻击者可以从密码重置过程中挑战我们的攻击是基于这样的假设,即用户同意注册或者将一次性代码发送到他们的电话以便在线享受服务。 虽然攻击网站有利于提供有价值的服务来吸引用户,并在注册过程中作为合法的挑战呈现给用户。
We now describethe attack in detail. For simplicity, we describe the attacked website as theemail service provider of the victim. When a user initiates a registrationprocess in the attacker’s website, the attacker either asks the user toidentify herself with her email address or launches another cross-site attackto extract it .
我们现在详细描述这个攻击。 为简单起见,我们将被攻击的网站描述为受害者的电子邮件服务提供者。 当用户在攻击者的网站上启动注册过程时,攻击者要求用户用自己的电子邮件地址标识自己,或者启动另一个跨站点攻击来提取它。
Once theattacker knows the victim’s email address, he already knows both her emailservice provider and her username in this service. The attacker initiates a passwordreset procedure against the attacked website with the email address of thevictim. The attacker acts as man in the middle between the victim user and theattacked website in the password reset procedure.
一旦攻击者知道受害者的电子邮件地址,他就已经知道她的电子邮件服务提供者和她在这个服务中的用户名。 攻击者利用受害者的电子邮件地址对攻击的网站发起密码重置程序。 在密码重置程序中,攻击者充当受害者用户和被攻击网站之间的中间人
The attackerforwards almost every challenge (see Section III-C) from the attacked websiteto the victim under the cover of the registration process. This process isillustrated in Figure 1. Given the email address of the victim, the attackercan similarly initiate a password reset process in the name of the victim inother websites, e.g., Facebook.
攻击者几乎把每一个挑战(见第三节C)从受到攻击的网站发送到受害者的注册过程中。 该过程如图1所示。给定受害者的电子邮件地址,攻击者可以类似地在其他网站(例如Facebook)中以受害者的名义启动密码重置过程。
Challenges
We now discussthe four most common challenges that the attacker may encounter during thepassword reset process. The challenges are described from the easiest to themost difficult. 1) CAPTCHA Challenges: CAPTCHA challenges do not aim to preventan attacker from resetting the password, but rather aim to prevent the attackerfrom doing this automatically. A human attacker should be able to solve CAPTCHAchallenges just like a human victim. However, to launch the PRMitM attack on alarger scale it is necessary to solve them automatically. Therefore, the PRMitMattacker forwards the CAPTCHA challenges to the victim users, and forwards thesolutions submitted by them back to the attacked website. 2) Security Question:Another identification challenge is presented by security questions. During theregistration, users are sometimes asked to answer personal question(s) thatwill be used to identify them in case the password is lost or forgotten. Whenthe attacker receives a security question in the password reset process, he canjust forward this question to the victim who is currently registering to theattacker’s website. The attacker will forward the user’s answer on to theattacked website. 3) Code to the Mobile Phone: Authentication can be done viaone of three approaches: (1) something you know (e.g., password), (2) somethingyou are (e.g., fingerprints), and (3) something you have (e.g., special tokendevice or a phone) Therefore, when users forget their password, many websitesallow them to authenticate themselves via something they have, like a mobilephone. This is usually done by sending a message with a password reset code tothe phone of the user via SMS. Some websites also support an automated phonecall to the user, in which the code is given. The user is required to insertthis code in order to change her password. In Section IV, we analyze thedifferent messages sent by popular websites and show that it is possible launcha PRMitM attack also in this case. In Section V, we show that phone calls arealso vulnerable to the attack. 4) Reset Link to the Email: The most commoncountermeasure involves sending a link to reset the password of the victim’semail address. To bypass this mechanism, the attacker must be able to access datain the email account of the victim; therefore, the PRMitM attack cannot beapplied on websites that allow password reset only by sending a reset link tothe email. Unfortunately, this option is usually not relevant for the emailservices themselves. Moreover, relying only on this option blocks passwordrecovery when users have lost access to their email account.
我们现在讨论攻击者在密码重置过程中可能遇到的四个最常见的挑战。挑战从最简单到最困难的描述。 1)验证码挑战:验证码挑战不是为了防止攻击者重新设置密码,而是为了防止攻击者自动进行。人类攻击者应该能够像人类受害者一样解决CAPTCHA的挑战。但是,要在更大规模上启动PRMitM攻击,则需要自动解决这个问题。因此,PRMitM攻击者将CAPTCHA挑战转发给受害用户,并将他们提交的解决方案转发回受攻击的网站。 2)安全问题:安全问题提出了另一个身份验证挑战。在注册过程中,有时会要求用户回答用于识别密码的个人问题,以防密码遗失或遗忘。当攻击者在密码重置过程中收到安全问题时,他只能将此问题转发给当前正在注册攻击者网站的受害者。攻击者会将用户的答案转发到被攻击的网站。 3)手机代码:验证可以通过以下三种方法之一完成:(1)你知道的东西(例如密码),(2)你的东西(例如指纹)和(3)你有的东西例如,特殊的令牌设备或电话)。因此,当用户忘记密码时,许多网站允许他们通过他们有的东西(如手机)进行身份验证。这通常是通过发送带有密码重置码的消息通过SMS到用户的电话来完成的。一些网站还支持给用户的自动电话,其中给出了该代码。用户需要插入此代码才能更改密码。在第四节中,我们分析了流行网站发送的不同消息,并表明在这种情况下也可能发起PRMitM攻击。在第五节中,我们表明,电话也容易受到攻击。 4)重置链接到电子邮件:最常见的对策包括发送链接重置受害者的电子邮件地址的密码。为了绕过这个机制,攻击者必须能够访问受害者的电子邮件帐户中的数据;因此,PRMitM攻击不能应用于仅通过向电子邮件发送重置链接来允许密码重置的网站。不幸的是,这个选项通常与电子邮件服务本身无关。而且,仅仅依靠这个选项阻止了用户在失去访问他们的电子邮件帐户时的密码恢复。
Challenges inPopular Websites 热门网站的挑战
We surveyed the challenges used during thepassword reset process by the most popular websites in the world . Table IIsummarizes the findings. The 10 most popular websites support password resetusing the user’s email account and most of them allow password reset using aphone as an alternative.
我们调查了世界上最受欢迎的网站在密码重置过程中使用的挑战。 表二总结了调查结果。 10个最受欢迎的网站使用用户的电子邮件帐户支持密码重置,其中大部分网站允许使用电话重置密码
Google is theonly one that also supports security questions, and three of them requiresolving a CAPTCHA in addition to one of the first two challenges.
Google是唯一一个也支持安全问题的,除了前两个挑战之外,还有三个需要解开CAPTCHA。
We alsosurveyed popular email-services, because those have difficulty offering anemail-based password recovery process. Email-services are usually verysensitive; by obtaining access to the victim’s email account, an attacker canfurther reset the password of other websites.
我们还对受欢迎的电子邮件服务进行了调查,因为这些服务很难提供基于电子邮件的密码恢复流程。 电子邮件服务通常非常敏感, 通过访问受害者的电子邮件账号,攻击者可以进一步重置其他网站的密码。
The challengesused by popular email-services that do not appear in Table II, are summarizedin Table III. We chose only email services to which we could register, all ofthem from USA, Russia, India, and Germany.
表III中总结了表II中未列出的常见电子邮件服务所使用的挑战。 我们只选择了我们可以注册的电子邮件服务,全部来自美国,俄罗斯,印度和德国。
Among these 10email services, we found that Yandex, one of the most popular websites in theworld, mail.com, gmx.com and reddif.com allow password recovery by onlyanswering a security question and solving a CAPTCHA. In Yandex, this option ispossible only for users who did not input their phone and alternative email.This makes these websites vulnerable to a simple variant of the PRMitM attack,in which the attacker only forwards the security question and the CAPTCHAchallenge to the victim to solve, and then takes over the account.
在这10个电子邮件服务中,我们发现世界上最受欢迎的网站之一Yandex,mail.com,gmx.com和reddif.com只允许回答安全问题并解答验证码,从而允许恢复密码。 在Yandex中,此选项仅适用于未输入电话和备用电子邮件的用户。 这使得这些网站很容易受到PRMitM攻击的一个简单变种,攻击者只将安全问题和CAPTCHA挑战转发给受害者解决,然后接管账户。
Google alsosupports password recovery using security questions. However, Google’smechanism is mainly based on activities done by the user in the account, and onother parameters like the IP address and the browser used by the requester.Although Google also uses general security questions in some cases, PRMitMattack alone cannot be used to overcome the security questions. See alsoSection VII-A.
Google还使用安全问题来支持密码恢复。 但是,Google的机制主要基于用户在帐户中完成的活动,以及其他参数,如请求者使用的IP地址和浏览器。 尽管Google在某些情况下也使用一般的安全问题,但单靠PRMitM攻击无法解决安全问题。 另见第VII-A部分。
Clearly, mostof the popular websites and email services support authentication using amobile phone. In Sections IV and V, we show that sending the reset passwordcode by SMS or phone call is also vulnerable to attack.
显然,大多数受欢迎的网站和电子邮件服务都支持使用手机进行身份验证。 在第四节和第五节中,我们表明通过短信或电话发送重置密码也容易受到攻击。
Evaluation:PRMitM with Security Question
评估:带安全问题的PRMitM
As somewebsites still allow password reset that relies on security questions, weconducted a small user study (Experiment 1) to test whether or not usersprovide the correct answers for such questions. Since popular websites do notrely on security questions, we could not recruit participants and simulate areal attack on their accounts.
Yet, under theassumption that users who give the correct answer in a low-importance websitewould also correctly answer their security question in more reputable websites,the experiment should offer a good indication. Although not analyzed in thisexperiment, users who give the same wrong answer to both the attacked and theattacking websites, are vulnerable to the attack.
由于一些网站仍然允许依赖安全问题的密码重置,我们进行了一项小型的用户研究(实验1),以测试用户是否为这些问题提供了正确的答案。 由于受欢迎的网站不依赖安全问题,我们无法招募参与者并模拟真实的账户攻击。
然而,假设在低重要性网站上给出正确答案的用户也可以在更有信誉的网站上正确回答他们的安全问题,这个实验应该提供一个很好的指示。 尽管在这个实验中没有进行分析,但是对被攻击和攻击的网站给予同样错误答案的用户也很容易受到攻击。
EXPERIMENT 1: Correctness of securityquestion’s answer.
实验1:安全问题的正确答案。
Experimentprocess. Participants were asked to register to a website in order toperform a short experiment. During the registration process, they were asked totype their email address, and only then, to answer a classical securityquestion: What is your mother’s maiden name. Once the users completed theregistration, we asked them whether the answer they just typed was correct.
Ethics. We did not save anyprivate data about the participants. We only saved the answer distribution ofthe last question.
Participants. 52 volunteer students fromour institute.
Results. Although registering to alow-importance website, 76.9% of the participants provided the correct answerto the security question.
Bonneaue et al.conducted a larger survey with the participation of 1500 users. There, 37% ofthe participants reported that they gave wrong answer to the security questionwhen registering on their primary email account. Beyond the population and thenumber of participants, the difference in the results can be due to theexperiment process.
In ourexperiment, the users answered a security question; in the users were onlyasked about registration that probably occurred several years ago. It issurprising that the survey of did not include statistics about users that donot remember their answers. For example, the authors of this paper do not evenremember if they were asked to answer a security question during theirregistration to Gmail.
Even if only63% of the population are vulnerable to the attack, this is still a highpercentage and an indicator for the problem of relying on security questions.
实验过程:参与者被要求注册一个网站,以进行一个简短的实验。在注册过程中,他们被要求键入他们的电子邮件地址,然后才回答一个经典的安全问题:你母亲的娘家姓是什么?一旦用户完成注册,我们问他们刚刚输入的答案是否正确。
伦理:我们没有保存任何有关参与者的私人数据。我们只保存了最后一个问题的答案分布。
参与者:来自我院的52名志愿者。
结果:尽管注册到一个低度重要的网站,76.9%的参与者为安全问题提供了正确的答案。
Bonneaue等人在1500名用户的参与下进行了更大规模的调查。在那里,有37%的参与者报告说,他们在主电子邮件账户上注册时,对安全问题做出了错误的回答。除了人口和参与者的数量,结果的差异可能是由于实验过程。
在我们的实验中,用户回答了一个安全问题;在用户只被问及几年前可能发生的注册。令人惊讶的是,调查没有包括不记得他们答案的用户的统计数据。例如,本文的作者甚至不记得他们是否被要求在Gmail注册期间回答安全问题。
即使只有63%的人口容易受到攻击,这个比例仍然很高,是依靠安全问题的一个指标。
Popular websitesalso usually offer mechanisms for password recovery to users who lost access totheir email account. The problems with security questions and the popularity ofmobile phones has made the authentication using mobile devices a preferredoption for password recovery (e.g., see Tables II and III). The most common wayto authenticate a user via mobile phone is by sending a code to the device. Theuser then has to insert the received code into the website to reset the password.
受欢迎的网站通常还提供密码恢复机制,以便用户无法访问其电子邮件帐号。安全问题和移动电话普及的问题已经使得使用移动设备的认证成为密码恢复的首选方案(例如,见表II和表III)。通过手机验证用户的最常见方式是向设备发送验证码。用户然后必须输入收到的代码到网站重置密码。
Unfortunately,in some cases, when the reset code is sent by SMS, the PRMitM attack is stillpossible. The attacker asks the victim for her phone number, claiming that acode will be sent to it. Then the attacker initiates a password reset processusing this phone number in the attacked website, causing this website to sendan SMS with a password reset code to the victim’s phone. The victim receivesthe expected message, and may type the code in the attacking page. Now, theattacker can complete the password reset process.
不幸的是,在某些情况下,当通过SMS发送重置码时,PRMitM攻击仍然是可能的。攻击者询问受害人的电话号码,声称将发送一个代码给它。然后攻击者利用被攻击的网站上的这个电话号码启动密码重置过程,导致这个网站发送带密码重置代码的短信给受害者的电话。受害者收到预期的消息,并可能在攻击页面输入代码。现在,攻击者可以完成密码重置过程
The attacker caneven trick the user into disclosing her password reset code under simplerconditions. Unlike security questions, a code to the mobile phone is not usedsolely for registration and password recovery. Although email addresses thatcan be generated easily and for free by bots, mobile numbers are harder andmore expensive to attain. Therefore, sending a code to a mobile device is areasonable way to both prove that users are not bots and to prevent overuse byusers. Instead of the registration process, the attacker can ask the user toinsert a code sent to her mobile phone before accessing a resource ordownloading a file.
攻击者甚至可以在简单的条件下欺骗用户公开自己的密码重置代码。与安全问题不同,移动电话的验证码不仅仅用于注册和密码恢复。 虽然电子邮件地址,可以轻松地和免费的机器人生成,移动号码是更难和更昂贵的。 因此,向移动设备发送代码是一种合理的方式,既能证明用户不是僵尸程序,又能防止用户过度使用。 攻击者可以在访问资源或下载文件之前,要求用户输入发送到手机的验证码,而不是注册过程。
In the rest ofthis section we discuss the problems with password reset using SMS (SectionIV-A), survey this mechanism in popular websites (Section IV-B), and ultimatelyevaluate the attack on Facebook users (Section IV-C).
在本节的其余部分中,我们将讨论使用SMS(第IV-A节)重置密码的问题,在热门网站(第IV-B节)中调查这种机制,并最终评估对Facebook用户的攻击(第IV-C节)。
A. Limitations ofPassword Reset Using SMS
A.使用短信重置密码的限制
We identifiedseveral problems with sending a password reset via SMS. While the first problemis inherent, we found additional problems that appear in some of the websitesand can be easily fixed.
我们发现了通过短信发送密码重置的几个问题。虽然第一个问题是固有的,但是我们发现了一些网站上出现的其他问题,可以很容易地解决
Unclear message. SMS is limitedto 160 ASCII characters, and there are at least 3 pieces of information thatshould appear in each message in addition to the password reset code: (1) thesending website, (2) explanation about the code’s meaning (password reset), and(3) a warning to avoid disclosing the code to anyone else. Most of the websitesare aware of the need to include these three elements. As evidence, theyinclude all of them (and more) in emails that are sent to reset a password.Yet, the length limitation and the desire to avoid sending multiple SMSmessages prevent them from sending the optimal message.
不清楚的消息。短信限制为160个ASCII字符,除了密码重置代码外,每条信息至少还应该出现3条信息:(1)发送网站;(2)代码含义说明(密码重置)(3)避免向其他人泄露代码的警告。大多数网站都意识到需要包含这三个要素。作为证据,它们将所有这些(以及更多)包含在发送用于重置密码的电子邮件中。然而,长度限制和避免发送多个SMS消息的愿望阻止了他们发送最佳消息。
Sender identity. SMS spoofingis the process of setting the sender of SMS messages to a value that is not theoriginating mobile number. The sender can be set to another number or toalphanumeric text. Usually, SMS messages are sent from numbers that are notknown to the users. Using SMS spoofing, the sending companies can give the useran indication about the sender. However, we noticed that some of them do not usethis option at all, or they use it with a sender name that is non-informative.In spite of that, the importance of using informative sender identity seems tobe minor compared to content of the message; see the results analysis ofExperiment 2.
发件人的身份。短信欺骗是将短消息发送方设置为非原始移动号码的过程。发件人可以设置为其他号码或字母数字文本。通常,SMS消息是从用户不知道的号码发送的。使用短信欺骗,发送公司可以给用户关于发送者的指示。但是,我们注意到其中一些根本不使用这个选项,或者它们使用一个非信息性的发送者名称。尽管如此,与信息内容相比,使用信息发送者身份的重要性似乎较小;见实验2的结果分析
Token validity period. When a code isgiven, the user can use it only during a limited time period. However, thistime period varies between websites, and can be anywhere from 15 minutes to 24hours. In the PRMitM attack, this time slot is critical. Ideally, the attackerwould like to reset the passwords as late as possible. An attacker who gets thecode at noon would prefer to reset the password late at night, when the user issleeping.
令牌有效期。当给出一个代码时,用户只能在有限的时间内使用它。但是,这个时间段因网站而异,可以在15分钟到24小时之间。在PRMitM攻击中,这个时隙非常关键。理想情况下,攻击者希望尽快重置密码。在中午获取代码的攻击者宁愿在晚上晚些时候重置密码,当用户正在睡觉时。
Language compatibility. Many websitesoffer services in many languages, but some do not send the SMS message in thesupported language. Users who cannot read and understand the text, but only toidentify the code, become exposed to the attack. Namely, users who get a messagein an unfamiliar language, can read the code, but not the attached text. Insuch cases, an informative warning text becomes irrelevant.
语言兼容性。许多网站提供多种语言的服务,但有些网站不以支持的语言发送短信。无法阅读和理解文本,但只能识别代码的用户,将会受到攻击。即,以不熟悉的语言获得消息的用户可以阅读代码,但不能阅读附加的文本。在这种情况下,提供信息的警告文字变得无关紧要。
B. Websites Survey
B.网站调查
Table IVsummarizes the SMS messages sent by popular websites during their passwordreset process. We also specify which text represented the sender, the code’svalidity period, and whether the language is adjusted to the user.
表四总结了热门网站在密码重置过程中发送的短信。我们还指定哪些文本代表发件人,代码的有效期,以及语言是否调整为用户。
The tablepresents only websites that support multiple languages. The second column showsthe English message sent in the SMS by each of the websites.
Unlike commonpassword reset emails, none of the websites’ SMS messages included a warningabout the danger of disclosing the code. The fact that this message was sent aspart of a password reset process appears in only 4 of them. Popular websiteslike Yahoo and Google have a general message about verification codes. Such amessage can be easily abused by a PRMitM attacker. Moreover, unlike theirmessages in the other languages, both Google and Yahoo send non-secure SMS messagesto Russian language users. Their Russian message simply says “Your verificationcode: XXXX”, without any indication to the sender in the message body. Anothervulnerable website is Yandex, the only website we tested for which none of theSMS messages contain the name of the website. Yandex simply sends averification code and asks the user to enter it in a text field. To detect whatappears as the SMS sender, we initiated password reset process using SMS fromthree different devices. Only three websites noted the name of the website as thesender. In the SMS from Facebook, the sender appeared either as a number or asFacebook. In all the other cases, we received the SMS from an unknown number orgot the string ”Verify” as the sender. To test the validity period of thereceived code, we initiated the password reset process and tried to use thecode after different time periods. We could not find the exact expiration time,but tried different values and noted the longest time period after which wesucceeded in using the code. For services that do not specify the expiration oftheir code, we tested the following time periods following a binary-search basedapproach: 5, 10, 15, 30, 45, 60 and 90 minutes, and 2, 3, 4, 6, 8, 10, 12, 18and 24 hours.
该表仅显示支持多种语言的网站。第二栏显示每个网站在短信中发送的英文信息。
与普通的密码重置电子邮件不同,这些网站的短信都没有包含关于泄露密码的危险的警告。此消息作为密码重置过程的一部分发送的事实仅出现在其中的4个中。像雅虎和谷歌这样的热门网站有关于验证码的一般信息。这样的消息很容易被PRMitM攻击者滥用。而且,与其他语言的信息不同,Google和Yahoo都向俄语用户发送不安全的短信。他们的俄文信息只是说“你的验证码:XXXX”,没有任何指示给邮件正文中的发件人。另一个易受攻击的网站是Yandex,这是我们测试的唯一没有包含网站名称的短信。 Yandex只是发送一个验证码,并要求用户输入一个文本字段。为了检测作为SMS发送者的内容,我们使用来自三个不同设备的SMS启动密码重置过程。只有三个网站注明了网站的名称作为发件人。在Facebook的短信中,发件人既可以是数字,也可以是Facebook。在所有其他情况下,我们收到来自未知号码的短信,或者将“验证”字符串作为发件人。为了测试收到的代码的有效期,我们启动了密码重置过程,并尝试在不同的时间段后使用代码。我们找不到确切的到期时间,但尝试了不同的值,并注意到我们成功使用代码的最长时间段。对于没有指定其代码到期的服务,我们在基于二进制搜索的方法之后测试以下时间段:5,10,15,30,45,60和90分钟以及2,3,4,6, 8,10,12,18和24小时。
To test languagecompatibility, we tested the accounts against several popular languages theysupport. Specifically, we tested: English and Spanish, which are very common languages;Russian and German, which are common; and Hebrew, which is not a commonlanguage.
为了测试语言兼容性,我们测试了他们支持的几种流行语言的帐号。 具体来说,我们测试了:英语和西班牙语,这是很常见的语言; 俄罗斯和德国,这是常见的; 和希伯来语,这不是一个共同的语言。
We say that awebsite is SMS language compatible (SLC) with a language if it sends the passwordreset message in this language. We tested whether a website is SLC only with regardsto supported languages, which are languages in which the website givesservices. We gave one of four grades to websites for their SMS languagecompatibility.
我们说如果一个网站使用这种语言发送密码重置消息,那么这个网站就是带有语言的SMS语言兼容(SLC)。我们测试一个网站是否仅仅是SLC支持的语言,这是网站提供服务的语言。我们给他们的短信语言兼容性网站的四个等级之一。
1)Full. Thewebsite is SLC with all of its supported languages that we tested. 2) Good. Thewebsite is SLC with all of its supported common languages that we tested, butnot SLC with an uncommon supported language. 3) Partial. The website is SLCwith more than one supported common language that we tested, but is not SLCwith another supported common language. 4) English only. Although supportingalso other common languages, the website is SLC only with English.
1)全部。SLC网站是我们测试过的所有支持的语言。2)好。该网站是SLC,我们测试了所有支持的通用语言,但不支持使用不常见的支持语言的SLC。3)部分。该网站是SLC,我们测试了多种支持的通用语言,但不是SLC与其他支持的通用语言。4)只有英文。虽然也支持其他常用语言,但网站只有英文的SLC。
Six out of the10 websites in Table IV were assigned a Full grade. This means that some usersof the other four may receive an SMS they cannot understand, which makes them aneasy target for PRMitM attacks. We tested the websites by configuring theaccounts to use each of the languages. Because some websites may determine thelanguage according to parameters such as the country prefix of the phonenumber, a non-Full grade does not mean the website does not send SMS in some ofthe languages. However, by itself, sending critical messages in a language thatis different from the language the user chose is a problem.
表四中的十个网站中有六个被分配了一个完整的等级。这意味着其他四个用户可能会收到他们无法理解的短信,这使得他们成为PRMitM攻击的一个简单目标。 我们通过配置帐号来使用每种语言来测试网站。由于部分网站可能根据电话号码的国家前缀等参数确定语言,非满分并不意味着网站不会以某些语言发送短信。但是,使用与用户选择的语言不同的语言发送关键消息本身就是一个问题。
C. Evaluation
C.评价
In the survey weconducted (Section IV-B), we found three types of messages; none of themexplicitly warn the users against typing the code in another website. Themessages are sorted from the most to the least vulnerable. 1)Just a code. Message contains only thecode, without mentioning both the reset process and the sending website. Forexample: Yandex, Google and Yahoo in Russian. 2)Sender and a code. The sending website is mentioned with the code,but there is no evidence of the password reset process. For example: Google,Yahoo, and LinkedIn. 3) Password resetcode message. In addition to the code, the password reset and the sendingwebsite are mentioned. For example: Facebook, Twitter, and Microsoft services.
在我们进行的调查中(第四节B),我们发现了三种类型的信息;他们都没有明确警告用户在另一个网站上输入代码。这些消息是从最多的到最不易受到的。1)只是一个代码。消息仅包含代码,不提及重置过程和发送网站。例如:Yandex,谷歌和俄罗斯的雅虎。2)发件人和代码。发送网站与代码一起提到,但没有密码重置过程的证据。例如:Google,Yahoo和LinkedIn。3)密码重置代码消息。除了密码,密码重置和发送网站被提及。例如:Facebook,Twitter和Microsoft服务。
In a typicalPRMitM attack that abuses the password reset using SMS, the attacker asks theusers to authenticate themselves by sending them an SMS. Once the attacker getsthe phone number of the victims, he initiates the password reset process fortheir phone numbers in the attacked website. If the victims receive the codeand type it into the attacking page, the attacker can take over their accountsin the attacked website.
在使用SMS滥用密码重置的典型PRMitM攻击中,攻击者要求用户通过向他们发送短信进行身份验证。一旦攻击者获得了受害者的电话号码,他就会在被攻击的网站上为他们的电话号码启动密码重置过程。如果受害者收到代码并将其输入到攻击页面,则攻击者可以在攻击的网站上接管他们的账户。
Naturally, SMSmessages of the third type are harder to abuse for the PRMitM attack.Experiment 2 shows that it is still possible to effectively abuse suchmessages, and that a more detailed SMS message does not provide fullprotection.
当然,第三种类型的SMS消息很难滥用PRMitM攻击。实验2表明,仍然有可能有效地滥用这样的消息,并且更详细的SMS消息不能提供完全的保护
Due to ethicalreasons, we did not use the SMS code to complete the password reset process onthe accounts of the participants. To make sure the SMS code is enough for the attackto work, we successfully simulated the attack under experimental conditions onseveral of our own accounts. We showed that it is possible to initiate thepassword-reset process from a machine that has never been used before for the attackedaccount as tested in the experiment, and that it is possible to complete theattack with the code (that the victim gets to his phone and forwards to theattacker). Furthermore, in the examined case of Facebook, it is also possibleto use the code to gain access to the account, without resetting the password.In this case, no notification about password-reset is sent to the email of thevictim.
由于道德原因,我们没有使用SMS代码完成参与者帐户的密码重置过程。为了确保SMS代码足以使攻击发挥作用,我们成功地在实验条件下对我们自己的几个账户进行了攻击。我们证明,可以从实验中测试过的被攻击帐户之前从未使用过的机器启动密码重置过程,并且可以使用代码完成攻击(受害者获得他的电话,并转发给攻击者)。此外,在Facebook的案例中,也可以使用代码访问帐户,而不需要重新设置密码。在这种情况下,不会将有关密码重置的通知发送给受害者的电子邮件。
It is importantto note, that in the experiment, the attacking machine was located in the samecountry as the attacked computers. In practice, the attacker can detect the IPaddress of the victim and launch the attack from a machine under similarsettings.
需要注意的是,在实验中,攻击机与被攻击的计算机位于同一个国家。在实践中,攻击者可以检测受害者的IP地址,并在类似的设置下从机器发起攻击。
EXPERIMENT 2:Effectiveness of PRMitM attack on Face- 258book users using SMS and comparisonbetween Facebook’s SMS and more detailed SMS.
实验2:PRMitM对Face-258book用户使用SMS进行攻击的有效性以及Facebook的SMS和更详细的SMS之间的比较。
Experiment process. Participantswere invited to an experiment about memory skills. Before they accessed theexperiment webpage, they were told that if they encounter any problem orsomething they do not like, they are free to stop the experiment, go directlyto the final form, and leave feedback about the experiment process. Theexperiment page that was actually the attacking page asked them to identifythemselves using their phone number. Specifically, the page asked the participantsto type their phone number, so they can receive an SMS with a code that shouldbe typed in. Each user was randomly assigned either to the Facebook SMS groupor to the detailed SMS group.
实验过程。参与者被邀请参加关于记忆技能的实验。在他们访问实验网页之前,他们被告知,如果他们遇到任何问题或者他们不喜欢的东西,他们可以自由地停止实验,直接进入最终的形式,并留下关于实验过程的反馈。实际上是攻击页面的实验页面要求他们使用他们的电话号码来识别他们自己。具体来说,该页面要求参与者键入他们的电话号码,以便他们可以接收带有应输入的代码的SMS。每个用户被随机分配到Facebook SMS组或SMS群组。
In the FacebookSMS group, once the user typed her phone number, the attacking page contacted aserver that sent a request to Facebook for password reset via SMS. Facebook thensent the message to the participant. Our server was implemented in Python andused Selenium to imitate browsing activity to Facebook’s servers. In thedetailed SMS group, we spoofed the following SMS from Facebook: *WARNING* Someonerequested to reset your Facebook password. DO NOT SHARE THIS CODE with anyoneor type it outside Facebook. The password reset code is XXXXXX.
在Facebook短信群组中,一旦用户输入她的电话号码,攻击页面就联系了一个服务器,该服务器通过短信向Facebook发送了一个密码重置请求。Facebook然后将消息发送给参与者。我们的服务器是用Python实现的,使用Selenium来模拟Facebook服务器的浏览活动。在详细的短信群组中,我们欺骗了以下来自Facebook的短信:*警告*有人要求重置您的Facebook密码。不要与任何人共享此代码或在Facebook外输入。密码重置代码是XXXXXX。
If theparticipant identified the threat, she could stop the experiment and move tothe final form. Other participants simply played a memory game for 90 secondsbefore they were redirected to the final form.
如果参与者发现威胁,她可以停止实验并转到最终形式。其他参与者只是在被重定向到最终形式之前玩了90秒的记忆游戏
In theexperiment’s final form, we gradually asked the participants about theirfeelings and suspicions. The users were told that the experiment’s participantswere randomly divided into two groups, and that half of the participants were manipulated.We then asked them which group they thought they were assigned to. In reality,all the participants were manipulated according to their group.
在实验的最终形式中,我们逐渐向参与者询问他们的感受和怀疑。用户被告知,实验的参与者随机分为两组,一半的参与者被操纵。然后,我们问他们认为他们被分配到哪个组。实际上,所有的参与者都是按照他们的小组来操纵的。
After thatquestion, we continued hinting to the participants about the real purpose ofthe experiment, by telling them that the goal of the discussed manipulation wasto take over one of their accounts. We then asked again which group the participantsthought they were assigned to. Before asking this question the third time, wetold the users that the account we tried to hack was a Facebook account.
在这个问题之后,我们继续向参与者暗示实验的真正目的,告诉他们所讨论的操作的目标是接管他们的一个帐户。然后,我们再次询问参与者认为他们被分配到哪个组。在第三次问这个问题之前,我们告诉用户我们试图破解的账号是Facebook账号。
Ethics. We had adilemma about the right way to conduct this experiment. We could spoof theFacebook messages and avoid contacting Facebook for the Facebook SMS group. However,we chose to simulate a real attack, mainly because the interaction between theattacking page and the attacker’s server, and between the server and Facebook,takes time and could arouse suspicion. We wanted to make sure the experimentsimulates a real PRMitM attack, and prove that this attack is indeed practicalin real world conditions. We did not take over any Facebook accounts, nor didwe save the codes typed by the users. We only verified the correctness of thetyped codes with the users.
伦理。我们对进行这个实验的正确方式感到困惑。我们可以欺骗Facebook的信息,避免联系Facebook的Facebook短信群。然而,我们选择模拟真正的攻击,主要是因为攻击页面和攻击者服务器之间以及服务器和Facebook之间的交互需要时间而引起怀疑。我们希望确保实验模拟真实的PRMitM攻击,并证明这种攻击在现实世界中确实是实际的。我们没有接管任何Facebook帐户,也没有保存用户输入的密码。我们只验证用户输入的密码的正确性。
Participants. From ourinstitute, 88 volunteer students participated in the experiment. Of them, 42were assigned to the Facebook SMS group and the others to the detailed SMS group.We used volunteers on purpose, so they could feel free to leave the experimentat every moment. The participants did not take a part in other experiments orsurveys conducted in this research.
参与者。来自我院的88名志愿者参加了实验。其中,42人被分配到Facebook短信群,其他人被分配到详细的短信群。我们故意使用了志愿者,所以他们可以随时随地离开实验。参与者没有参与本研究中进行的其他实验或调查。
Results. We completedthe attack successfully on 90.5% of the Facebook SMS group, and on 79.5% of thedetailed SMS group. Namely, among the users who underwent a simulation of theattack, only 4 participants stopped the experiment and avoided sending theirFacebook password reset code to our server. In both groups, around 50% of theparticipants did not realize they were attacked even after we told them we hackedinto the Facebook account of half the participants. We observed that the hintshelped the participants understand what happened, but those in the detailed SMSgroup were quicker to suspect a security issue. Figure 2 depicts the results.
结果。我们在Facebook短信群组的90.5%和详细短信群组的79.5%成功完成了攻击。也就是说,在进行了模拟攻击的用户中,只有4个参与者停止了实验,并避免将他们的Facebook密码重置代码发送到我们的服务器。在这两个组中,大约有50%的参与者甚至在我们告诉他们我们侵入了一半参与者的Facebook帐户之后,并没有意识到他们遭到了攻击。我们观察到这些提示帮助参与者了解发生了什么事情,但详细的西马克集团的人更快地怀疑安全问题。图2描述了结果。
Results analysis. The resultsshow that the PRMitM attack can be launched automatically.
结果分析。结果显示,PRMitM攻击可以自动启动
We questionedparticipants who did not stop the attack in order to understand their behavior.We gained two important insights that are relevant for improving the passwordreset process:
我们质疑没有停止袭击的参与者为了了解他们的行为。我们获得了两个与改进密码重置过程相关的重要见解:
1) Many users justsearched for the code without reading the text. Some of them did not open themessage, but read the code from the notification that was prompted in theirphone. 2) Many users who noticed that the message was sent from Facebook,thought the login to experiment was done using the widely used login withFacebook mechanism. This means that the sender identity as specify by SMS spoofinghas a minor importance in the attack, mainly if the content of the message isunclear. Furthermore, adding sentences to the attacking page like ”Powered by Facebook”or even just an explanation that the message will arrive with specific sender,may make SMS spoofing even more worthless.
1)许多用户只是在不阅读文本的情况下搜索代码。他们中有些人并没有打开信息,而是从手机中提示的通知中读取验证码。2)许多用户注意到这个消息是从Facebook发出的,认为登录实验是使用Facebook机制广泛使用的登录方式完成的。这意味着通过短信欺骗指定的发送者身份在攻击中具有次要的重要性,主要是如果消息的内容不明确。此外,向“Powered byFacebook”这样的攻击页面添加句子,甚至只是对特定发件人的消息的解释,都可能使短信欺骗更加毫无价值。
2) Relying on thisfeedback, we designed mechanisms that will prevent such phenomena. See SectionVII-B.
This section discusses PRMitMattacks that exploit password reset using phone calls. We first compare the useof SMS and phone calls in password reset processes, and then describe thevulnerabilities we found. Finally, we bring Google, the most popular website inthe world, as an example to vulnerable website and evaluate the PRMitM attackon Google users.
本节讨论PRMitM攻击,利用电话密码重置密码。我们首先比较在密码重置过程中使用短信和电话,然后描述我们发现的漏洞。最后,以全球最受欢迎的网站Google为例,以易受攻击的网站为例,对Google用户的PRMitM攻击进行评估。
A. SMS code vs. Phone Call
A.短信代码与电话通话
There are many comparison parametersbetween password reset process using SMS and phone call. This section focuseson security aspects, mainly considering the PRMitM attack.
使用短信的密码重置过程与电话通话有很多比较参数。本节主要关注安全方面,主要考虑PRMitM攻击
Sender identifier. Using SMS spoofing it is possible to give an indication about thesender regardless of the content. In phone calls, there is no such equivalentmechanism and the phone calls arrive from unrecognized numbers.
发件人标识符。使用短信欺骗,可以指示发件人,而不管内容。在打电话的时候,没有这样的机制,打电话的人来自无法识别的号码。
Length of message. SMS code is limited in its length, and hence usually does notcontain enough information (see Section IV-A). In phone calls it is possible todeliver longer messages.
消息的长度。SMS代码的长度是有限的,因此通常不包含足够的信息(参见第IV-A节)。在电话中,可以传送更长的信息
User attention. Reading a code from SMS does not require effort or concentration.Actually, in Experiment 2, we noticed that some users do not open the message,but read the code from the notifications bar. Other users read only the code.In a phone call, the user dedicates more attention to the content of the phonenumber, mainly because the user will not have access to the code once the phonecall ends.
用户关注。从SMS读取代码不需要付出努力或专注。实际上,在实验2中,我们注意到一些用户不打开消息,而是从通知栏中读取代码。其他用户只能读取代码。在通话中,用户更多的关注电话号码的内容,主要是因为一旦通话结束,用户将无法访问该代码。
Language issues. Reading a reset code from an SMS in unknown language is possible,as numbers are written the same in many languages. Even a code that combinesletters can be differentiated from the other letters in the message. Therefore,in many cases, companies send SMS messages in a language that is different fromthe language that the user uses. Such cases can be exploited by the PRMitMattacker. To extract the reset code from a phone call, at least basicunderstanding in the language is required; hence, a user that extracts the codefrom a phone call is more likely to also understand the message.
语言问题。 从未知语言的短信中读取重置代码是可能的,因为数字在许多语言中都是相同的。即使是一个结合字母的代码,也可以与消息中的其他字母区分开来。因此,在许多情况下,公司使用与用户使用的语言不同的语言发送SMS消息。这种情况可以被PRMitM攻击者利用。为了从电话中提取重置码,至少需要对语言有基本的了解;因此,从电话中提取代码的用户更可能理解该消息。
Interactivity. Interactivity in the password reset process can be used to ensurethat the user understands the situation. Phone calls are more suitable for suchan interaction, e.g., by typing digits; indeed, Ebay uses interactive phonecall to deliver the password reset code. It is much harder to create secureinteraction using SMS.
互动。 密码重置过程中的交互性可以用来确保用户了解情况。电话更适合于这种交互,例如通过输入数字;事实上,易趣使用交互式电话交付密码重置代码。使用SMS创建安全交互要困难得多。
B. Vulnerable websites B.易受攻击的网站
Websites that supportpassword reset using phone calls might be vulnerable to PRMitM attack similarlyto the SMS variant. Like SMS messages, a secure phone call must include theinitiating website, the reset password process, and a warning about disclosingthe code.
支持使用电话重置密码的网站可能会受到与SMS变体类似的PRMitM攻击。与SMS短信一样,安全电话通话必须包括发起网站,重置密码处理以及关于公开密码的警告。
If a website uses a phonecall that just reads the reset code, the PRMitM attacker can ask for the phonenumber for calling the victim, and instead of that to initiate a password resetprocess against the website using the victim’s phone number. The website willcall to the victim, but without any option for the victim to detect the sourceof that call. Hence, without suspecting, the victim will forward the received resetcode of the attacked website to the attacker.
如果一个网站使用只读取重置代码的电话,PRMitM攻击者可以要求电话号码来呼叫受害者,而不是使用受害者的电话号码对网站发起密码重置过程。该网站将打电话给受害者,但没有任何选项让受害者检测到该来电。因此,受害者将毫无疑问地将收到的攻击网站的重置代码转发给攻击者。
Among the popular websitessurveyed in this paper (Top 100 websites that appear in Tables II and III), only Google, Linkedin, eBay andNetflix support password reset using both SMS and phone call (in our country).Paypal supports only phone calls.
在本文调查的受欢迎的网站(表二和三中出现的前100个网站)中,只有Google,Linkedin,eBay和Netflix支持使用短信和电话(在我们的国家)进行密码重置。Paypal只支持电话
Among these 5 websites, wefound that Linkedin and Google are vulnerable. Linkedin’s phone call does notmention Linkedin at all. In Google, we noticed a difference between the 10languages we could test.
在这5个网站中,我们发现LinkedIn和Google是脆弱的。Linkedin的电话根本没有提到Linkedin。在Google中,我们注意到了我们可以测试的10种语言之间的差异。
The phone calls in German,French, Russian, Italian, and Persian are just a translation of the Englishcall (hence will be denoted as the English group):
Hello! Thank you for usingGoogle phone verification. Remember! You should not share this code with anyoneelse, and no one from Google will ever ask for this code. Your code is XXXXXX.Again, your code is XXXXXX. Good bye.
德语,法语,俄语,意大利语和波斯语电话只是英文电话的翻译(因此将被称为英文组):
你好!感谢您使用Google电话验证。记得!你不应该与其他人分享这个代码,Google也没有人会要求这个代码。 您的代码是XXXXXX。 再一次,你的代码是XXXXXX。 再见。
However, the set ofvulnerable phone calls in Spanish (second most popular language in the world,more than English), Arabic, Dutch and Hebrew are surprisingly vulnerable:
Hello! Thank you for usingour phone verification. Your code is XXXXXX. Again, your code is XXXXXX. Goodbye.
然而,西班牙语(世界上第二大流行语言,超过英语),阿拉伯语,荷兰语和希伯来语的一系列易受攻击的电话令人惊讶地很脆弱:
你好!感谢您使用我们的电话验证。您的代码是XXXXXX。再一次,你的代码是XXXXXX。再见。
The phone calls in theEnglish group mention the sender (Google) twice. They also contain a warningabout sharing the code. However, they do not explain what is the meaning of thecode; namely, the password reset process is not mentioned.
In the vulnerable calls, thesender identity is replaced by the general word our, and the warning isomitted. Because there is no indication to the real sender or the real meaningof the received code, the phone calls in these languages are completelyvulnerable to PRMitM attacks.
英文小组中的电话提及发件人(Google)两次。它们还包含关于共享代码的警告。但是,他们没有解释代码的含义。即没有提到密码重置过程。
在易受攻击的电话中,发信人的身份被我们的一般词语取代,并且警告被省略。由于没有指示真正的发送者或接收到的代码的真实含义,这些语言的电话呼叫完全容易受到PRMitM攻击。
C. Evaluation: PRMitM on Google Phone Calls
This section describesExperiment 3, a user study we conducted to evaluate the PRMitM attack on Googleusers, exploiting the password reset process via a phone call. Due to ethicalreasons, we did not use the codes received in the phone call to complete thepassword reset process. However, similar to Experiment 2, we successfullytested the possibility to complete the password-reset process on several of ourown accounts. Namely, we verified that under the experiment conditions, inwhich a password reset request is sent from a machine that was not used beforefor the attacked account, it is also possible to successfully reset thepassword.
本节介绍实验3,这是一个用户调查,旨在评估对Google用户的PRMitM攻击,通过电话利用密码重置过程。 由于道德上的原因,我们没有使用电话中收到的代码来完成密码重置过程。 但是,与实验2类似,我们成功地测试了在我们自己的几个帐户上完成密码重置过程的可能性。 也就是说,我们验证了在实验条件下,对于被攻击的账户,从以前没有使用过的机器发送密码重置请求,也可以成功重置密码。
EXPERIMENT 3: Effectivenessof PRMitM attack on Google users using phone calls.
实验3:PRMitM对Google用户使用电话的攻击的有效性。
Experiment process. The experiment process was the same as in Experiment 2. However,instead of telling the users that they will get a code in SMS, we told themthat we will call them. To initiate a password reset process in Google, onlythe email address of the victim is required. However, we asked the users toinsert both their email address and phone number, so the call will not besuspicious. Once the users inserted their phone number, our server contactedGoogle and initiated a phone call to them in order to reset the password. Wedid not know in advance which language is used by the users, but asked for thisinformation in the final experiment form.
实验过程。 实验过程与实验2相同。但是,不要告诉用户他们将通过短信获取代码,而是告诉他们我们会给他们打电话。要在Google中启动密码重设过程,只需要受害者的电子邮件地址。但是,我们要求用户输入他们的电子邮件地址和电话号码,这样的电话将不会是可疑的。一旦用户输入了他们的电话号码,我们的服务器联系了谷歌,并打电话给他们,以重置密码。我们并不知道用户使用哪种语言,而是以最终的实验形式询问这些信息。
Ethics. The dilemma from Experiment 2 remained with us also in thisexperiment. From similar reasons, and because we could not predict the calllanguage of some of our participants, we decided to initiate a phone call fromGoogle and not a spoofed one. As done in Experiment 2, we did not save thecodes typed by the users, and only verified their correctness with the users.
伦理。 实验2的困境在我们这个实验中也一样。由于类似的原因,也因为我们无法预测一些参与者的通话语言,所以我们决定发起Google的电话,而不是一个欺骗的电话。和实验2一样,我们没有保存用户输入的密码,只是验证了用户的正确性。
Participants. 68 volunteer students from our institute, 39 from them used theEnglish language (English group), and the others used languages that havevulnerable phone calls (vulnerable group).
参与者。来自我所的68名志愿者,其中39人使用英语(英语组),其他使用语言弱势群体(弱势群体)。
Results. As expected, due to lack of any indication about the real sourceof the call, all the participants of the vulnerable group completely failed todetect the attack. Among the participants of the English group, only 7participants (18%) blocked the attack. 59% were “attacked” successfully andrealized after one of the hints. The other 23% did not realize that they weremanipulated also after the three hints. Figure 3 depicts the results.
结果。 正如预期的那样,由于缺乏有关通话真实来源的迹象,弱势群体的所有参与者完全无法检测到这一攻击。在英语组的参与者中,只有7人(18%)阻止了这一攻击。其中有59%被“攻击”成功,并经过其中一个暗示实现。另外23%的人没有意识到他们在三个暗示之后也被操纵了。图3描述了结果。
Results analysis. While we expected that for the languages used in the vulnerablegroup it will be impossible to detect the attack, we were surprised howvulnerable is the English phone call. Although the number of participants waslow, the results clearly indicate that even the English phone call isvulnerable to the PRMitM attack.
结果分析。 虽然我们预计对于弱势群体所使用的语言来说,将不可能检测到这种攻击,但我们惊讶于英语电话的脆弱性。虽然参与人数较少,但结果清楚地表明即使是英文电话也容易受到PRMitM攻击。
We were mainly interested inusers from the English group who failed to stop the attack. The most commonargument was the fact that the phone call did not specify anything about themeaning of the code. To the users who thought that the code comes from otherwebsites, it sounded reasonable that no one from Google will ever ask for thiscode. A few users said that they did not give enough attention to the messagecode. Relying on this feedback, we designed and evaluated a secure phone callthat will prevent the attack; see Section VII-C.
我们主要感兴趣的是来自英国小组的未能阻止攻击的用户。最常见的观点是电话没有说明代码的含义。对于认为代码来自其他网站的用户来说,谷歌没有人会要求这个代码,这听起来是合理的。一些用户表示,他们没有给予消息代码足够的重视。依靠这个反馈,我们设计和评估了一个安全的电话,以防止这种攻击。见第VII-C节。
The previous sectionspresented several variants of the PRMitM attack. All the attacks weredemonstrated and evaluated on popular websites.
前面几节介绍了PRMitM攻击的几个变种。所有的攻击都在大众网站上展示和评估。
Although websites are easytargets, it is possible to attack other applications as well. In particular,some mobile applications require authentication that is done by typing a codethat is received via SMS or a phone call. This makes them potentially vulnerableto the PRMitM attack, if the content of message is not clear enough.
虽然网站是容易的目标,但也可能攻击其他应用程序。特别是,一些移动应用程序需要通过键入通过SMS或电话接收的代码来完成认证。如果消息内容不够清晰,这使得它们可能容易受到PRMitM攻击。
We audited some of the mostpopular messaging applications available today to get indication about possiblevulnerabilities. This section brings our short survey and summarizes itsfindings.
我们审核了一些当前最流行的消息应用程序,以获取有关可能的漏洞的指示。 本节将对我们进行简短的调查并总结其调查结果
A. Survey:
Password Reset in MobileMessaging Applications The vulnerabilities we found in popular websitesencouraged us to search for similar vulnerabilities also in mobileapplications. In particular, we chose to audit the password reset process ofmessaging mobile applications. Taking over such applications exposes privateand sensitive information about the user, and allows the attacker to performsensitive operations like sending messages in the name of the user. Table Vlists the applications we tested and the supported channels for password resetprocess 2. Mobile applications are especially interesting in the perspective ofpassword reset process, as messages with password reset code can be sentthrough the applications themselves to the mobile phone of the user. This is anadditional option to initiate password reset process that does not suffer fromthe limitations of SMS and phone calls (e.g., limited length, graphic, etc.).Namely, an installed mobile application can easily explain to the user aboutthe password reset process; see also Section VII-E. Among the nine very popularapplications we tested, only Telegram supports password reset via theapplication. Telegram also tries to use this option to reset the passwordbefore other techniques like SMS or phone call are used. SMS is the mostsupported way to initiate password reset process. Only four applicationssupport password reset only via Email, three of them exclusively, which makesthe PRMitM attack impractical on them.
移动消息应用程序中的密码重置我们在受欢迎的网站中发现的漏洞也鼓励我们在移动应用程序中搜索类似的漏洞。特别是,我们选择审核消息移动应用程序的密码重置过程。接管这些应用程序会暴露用户的隐私和敏感信息,并允许攻击者执行敏感的操作,例如以用户的名义发送消息。表V列出了我们测试的应用程序以及支持密码重置过程的通道2.移动应用程序在密码重置过程中特别有趣,因为带有密码重置代码的消息可以通过应用程序本身发送给用户的手机。这是启动密码重置过程的附加选项,其不受SMS和电话限制(例如,有限的长度,图形等)的限制。即,安装的移动应用程序可以很容易地向用户解释密码重置过程;另见第VII-E节。在我们测试的九个非常受欢迎的应用程序中,只有Telegram通过应用程序支持密码重置。电报也尝试使用此选项重设密码之前,其他技术如短信或电话使用。 SMS是启动密码重置过程的最受支持的方式。只有四个应用程序支持仅通过电子邮件进行密码重置,其中三个只能通过电子邮件重置,这使得PRMitM攻击不切实际。
B. Mobile Applications PRMitM Vulnerabilities
In addition to the lack ofuse in the application itself to reset the password, we found the followingvulnerabilities:
除了应用程序本身缺少重置密码之外,我们还发现了以下漏洞:
Vulnerable phone calls in Whatsapp, Snapchat and Telegram. Among the applications wetested, all the three that use phone-call during their password reset process,are vulnerable. Namely, in the phone calls of Whatsapp, Snapchat and Telegram,there is neither indication to the source of the call nor explanation about themeaning of the received code nor warning about not giving away the code. SeeTable VI. In Snapchat, to initiate the password reset code, the attacker has tosolve a CAPTCHA and to get the username. While using the PRMitM attack to solvethe CAPTCHA seems reasonable, it seems harder to trick the victim to give hisSnapchat username. Yet, the attacker can launch targeted attacks on users whoseusername is known to the attacker (e.g., by applying social engineeringtechniques).
在WhatsApp,Snapchat和电报中的易受伤害的电话。在我们测试的应用程序中,在密码重置过程中使用电话的三个都很脆弱。也就是说,在Whatsapp,Snapchat和Telegram的电话中,既没有提示电话的来源,也没有对接收到的代码的含义进行解释,也没有提供关于不提供代码的警告。见表六。在Snapchat中,要启动密码重置代码,攻击者必须解开一个验证码并获取用户名。虽然使用PRMitM攻击来解决验证码似乎是合理的,但似乎很难欺骗受害者给他的Snapchat用户名。然而,攻击者可以对攻击者知道其用户名的用户发起有针对性的攻击(例如,通过应用社会工程技术)。
In Whatsapp, the attackercannot initiate the phone call immediately. Whatsapp’s password reset processbegins with an SMS that is sent to phone number that is used in the process.The phone call is initiated only 5 minutes later, if the process has notcompleted. Although the SMS used by Whatsapp is also vulnerable (see below),this limits the effectiveness of the attack. E.g., for attackers that can blockSMS messages, or only for users that will not correlate the SMS from Whatsappwith the registration to the attacking page that claims to call him, and to thevulnerable phone call that will be received later (the attacking page canmention that it usually takes 5 minutes until the call is received). Telegram’spassword reset process is similar to that of Whatsapp. However, the phone callis initiated only if the user does not respond to a message that is sent to himvia the Telegram application or later via SMS.
在WhatsApp,攻击者不能立即发起电话。Whatsapp的密码重置过程开始于发送到过程中使用的电话号码的SMS。如果过程尚未完成,电话将在5分钟后启动。尽管Whatsapp使用的SMS也很脆弱(见下文),但这限制了攻击的有效性。例如,对于可以阻止SMS消息的攻击者,或者仅针对不会将Whatsapp的SMS与注册相关联的用户与声称呼叫他的攻击页面相关联的用户,以及稍后将被接收的易受攻击的电话(攻击页面可以提到,通常需要5分钟,直到收到电话)。电报的密码重置过程类似于Whatsapp的。但是,只有在用户没有对通过电报应用程序发送给他的消息或稍后通过SMS发送的消息作出响应时,才会启动电话呼叫。
Non-informative SMS in all of the applications. The SMS messages of all theapplications contain the name of the application. Yet, none of them contain awarning that will prevent the user from typing the code in other website. Followingthe results of Experiment 2, this puts their users in risk.
所有应用程序中都没有提示信息。所有应用程序的SMS消息都包含应用程序的名称。然而,他们都没有包含一个警告,会阻止用户在其他网站上输入代码。根据实验2的结果,这使得用户处于危险之中
This becomes more criticaldue to lack of language compatibility. The surveyed applications are widelyused across the globe, with many users who use different languages. In spite ofthat, except Whatsapp, the messages were sent only in English, regardless ofthe language settings or the language used by users. The lack of languagecompatibility increases the chance that users will just check for the codewithout reading the other content of the message. This problem is relevant toFacebook Messenger, Telegram, Kakao, Nimbuzz and Snapchat. The SMS messagesused by the surveyed applications (Table V) appear in Table VII.
由于缺乏语言兼容性,这变得更加重要。被调查的应用程序在全球广泛使用,许多用户使用不同的语言。尽管如此,除了Whatsapp之外,邮件只能用英文发送,不管用户使用哪种语言设置或语言。语言兼容性的缺乏增加了用户在不阅读消息的其他内容的情况下检查代码的机会。这个问题与Facebook Messenger,Telegram,Kakao,Nimbuzz和Snapchat有关。被调查的申请使用的短信(表五)见表七。
This section discussesdefenses against the PRMitM attacks introduced in the previous sections. Thereare multiple ways to defend against each of the attacks; some of them can be implementedin several ways. The evaluation of all the defense techniques and theirdifferent variants deserves a separate work. The variants of eachcountermeasure should be evaluated in user studies to learn about the optimalconfiguration for each of them.
本节讨论防范前面部分介绍的PRMitM攻击。有多种方法来防御每一个攻击。其中一些可以通过几种方式来实现。所有的防御技术和他们的不同变种的评估值得一个单独的工作。应在用户研究中评估每种对策的变体,以了解每种对策的最佳配置。
The main scope of this paperis to introduce the attack, and to provide first aid that can block it.Therefore, we mainly discuss and evaluate two countermeasures, which we believecan be easily deployed by websites. Both the techniques force the users tounderstand that someone asked to reset the password. Because more efforts arerequired, it might be claimed that these mechanisms harm the user experience. However,we believe that in operations like password reset, it is completely reasonableto make the users work hard to reset their password if it significantlyimproves the security.
本文的主要范围是介绍攻击,并提供可以阻止它的急救。因此,我们主要讨论和评估两种对策,我们认为这些对策可以通过网站轻松部署。这两种技术都迫使用户了解有人要求重置密码。因为需要更多的努力,所以可以说这些机制损害了用户体验。但是,我们认为,在密码重置等操作中,如果能显着提高安全性,让用户努力重置密码是完全合理的。
A. Good Security Questions A.良好的安全问题
Securityquestions that are not exclusively related to the website might be vulnerableto PRMitM attacks. If a website asks many questions that are directly related tothe actions done by the user in that site, they cannot be forwarded to the useras legitimate security questions for other websites. Google is an example of awebsite that relies on security questions combined with other parameters suchas IP addresses and originating browser. In addition to general securityquestions, Google asks questions about common contacts, userdefined labels, andthe use of multiple Google services. Nevertheless, it is desirable to avoidrelying on security questions, as they can be bypassed by attackers, especiallyif the attacker is related to the victim.
与网站不完全相关的安全问题可能容易受到PRMitM攻击。如果一个网站提出了许多与用户在该网站上所做行为直接相关的问题,那么他们就不能作为其他网站的合法安全问题转发给用户。谷歌是一个网站的例子,它依赖于安全问题,结合其他参数,如IP地址和原始浏览器。除了一般的安全问题,Google还会询问有关常见联系人,用户定义的标签以及使用多种Google服务的问题。尽管如此,避免依赖安全问题是可取的,因为攻击者可以绕过安全问题,特别是如果攻击者与受害者有关。
B. Secure Password ResetUsing SMS 使用SMS安全密码重置
Section IV showed that someusers do not read the entire SMS messages they receive (Experiment 2). Beyondthat, current SMS messages (Table IV) lack a warning about giving away thecode, and are sometimes missing explanations about the meaning of the code andthe sender. Lack of language compatibility makes this problem even moreserious.
第四部分显示,一些用户不读取他们收到的整个短信(实验2)。除此之外,当前的SMS消息(表IV)没有关于放弃代码的警告,并且有时缺少关于代码和发送者的含义的解释。缺乏语言兼容性使得这个问题更加严重
Following our findings, webelieve that a password reset code should not be sent in a clear text over SMS.Hence, we designed a link-via-SMS (LVS) password reset procedure, and evaluateit compared to detailed SMS messages.
根据我们的调查结果,我们认为密码重置代码不应通过短信以明文形式发送。因此,我们设计了一个链接通过短信(LVS)密码重置程序,并评估它与详细的短信息相比。
1) Link-Via-SMS (LVS) Password Reset: Links for password reset areused mainly when the password reset is done via email accounts. Among thewebsites we surveyed, only Facebook sends a link to reset the password inaddition to the code. Sending a detailed SMS message with a long link (instead ofa code) overcomes the limitations of the SMS with the code. First of all, toexploit such a message, the PRMitM attacker has to ask the user to copy a linkto his website, which is unusual. Moreover, since the link is long, theattacker cannot just glimpse at the message. This increases the likelihood thatthe victim will notice the rest of the text. A long link is better than just along code. The natural user interaction with links is to press on them. On theother hand, there is always a chance that a user will just copy the code withoutreading the message. In our implementation of the LVS, the link refers the userto an interactive page that has an alert about the attempt to reset the userpassword. The user experience might be degraded if the user cannot access theInternet from her phone. However, we believe that in such cases, it isreasonable to force the user into typing the long link into her browser’saddress bar. Another question that should be discussed is whether LVS increasesthe risk to other attacks. We believe that the answer to this question isnegative. Following received links in SMS might be harmful , but this hasnothing to do with an SMS that is sent by a service that intends to protect itsusers. Attackers might try to impersonate legitimate LVS message to trick usersto follow malicious links; however, they can do the same also for legit SMSmessages (although the original message do not include a link).
1)通过短信链接(LVS)密码重置:密码重置链接主要用于通过电子邮件帐户重置密码。在我们调查的网站中,除了代码之外,只有Facebook发送链接重置密码。用长链接(而不是代码)发送详细的SMS消息克服了短信与代码的限制。首先,为了利用这样的信息,PRMitM攻击者必须要求用户将链接复制到他的网站,这是不寻常的。而且,由于链接很长,攻击者不能只看到消息。这增加了受害者会注意到其他文本的可能性。长链接不仅仅是一个长码。与链接的自然用户交互是按下他们。另一方面,用户总是有可能在不阅读消息的情况下复制代码。在我们的LVS实现中,链接将用户引导到一个交互式页面,该页面有一个关于尝试重置用户密码的警报。如果用户无法通过手机访问互联网,用户体验可能会降低。但是,我们相信在这种情况下,强制用户在浏览器的地址栏中输入长链接是合理的。另一个需要讨论的问题是LVS是否会增加其他攻击的风险。我们相信这个问题的答案是否定的。以下收到的短信链接可能是有害的,但这与由旨在保护其用户的服务发送的短信无关。攻击者可能试图模仿合法的LVS信息来诱骗用户关注恶意链接;然而,他们也可以为合法的SMS消息做同样的事情(尽管原始消息不包括链接)。
2) LVS Evaluation: Experiment4 repeats Experiment 2 but with an LVS instead of the classical SMS with thecode.
LVS评估:实验4重复实验2,但用LVS而不是经典SMS与代码
EXPERIMENT 4: Effectivenessof LVS against PRMitM attack on Facebook users. Experiment process. Theexperiment process was similar to Experiment 2 with a single change: We sentthe participants an SMS with an LVS message. The LVS message was: *WARNING*Someone requested to reset your Facebook password. Press this link to reset yourFacebook password: http://bit.ly/XXXXXXX. DO NOT SHARE IT!
实验4:LVS针对Facebook用户的PRMitM攻击的有效性。实验过程。实验过程与实验2相似,只是做了一个改变:我们给参与者发送了一条带有LVS信息的短信。LVS消息是:*警告*有人要求重置您的Facebook密码。按此链接重置您的Facebook密码:http://bit.ly/XXXXXXX。不要分享它!
Ethics. We only verified that the users indeed have a phone number relatedto their account. We did not contact Facebook to initiate a password resetprocess for the participants’ accounts.
Participants. 46 volunteer students from our institute that did not participatein any other experiment or survey.
Results and analysis. All the participants stopped the attack; namely, none of themtyped the link into the attacking page. This reinforced our hypothesis, thatLVS is indeed a secure way to reset a password using SMS. This is important dueto the poor results achieved by the classical SMS messages (see Experiment 2).
伦理。 我们只验证用户确实有一个与他们的帐户相关的电话号码。 我们没有联系Facebook为参与者的帐户启动密码重置过程。
参与者。 来自我所的46名志愿者没有参加任何其他的实验或调查。
结果和分析。 所有的参与者都停止了攻击。 即没有人将链接输入到攻击页面。 这加强了我们的假设,LVS确实是一种使用SMS重置密码的安全方式。 这一点很重要,原因在于经典的SMS消息所带来的糟糕结果(见实验2)。
C.Secure Password Reset UsingPhone Call
C.使用电话呼叫保护密码重置
Athoughphone calls were shown to be vulnerable in Experiment 3, they can be usedeffectively and securely for password reset processes. Two elements must hold:(1) the message must include the sender, the meaning of the code, and a warningabout misuse, and (2) the call must cause the user to listen and understand themessage. For this purpose we conducted Experiment 5, which is similar to Experiment3, but evaluates more detailed and interactive phone call. The results showthat indeed, such a phone call significantly improves the results.
尽管在实验3中,电话通话被证明是脆弱的,但它们可以有效且安全地用于密码重置过程。(1)消息必须包括发送者,代码的含义以及关于滥用的警告,(2)呼叫必须使用户收听和理解消息。为此,我们进行了与实验3类似的实验5,但是评估更详细和交互的电话。结果显示,确实这样的电话显着提高了结果。
EXPERIMENT5: Effectiveness of detailed and interactive phone call against PRMitM attacks.
实验5:针对PRMitM攻击的详细交互电话的有效性
Experiment process. The experiment process was the same as Experiment 3. However,instead of initiating a phone call from Google, we called the users with an(interactive) phone call. We denote by Xi and Yi randomly chosen numbers such thatXi = Yi. Pressing Yi always leads to Good bye! Consider securing your account !.Xi leads to the next sentence.
实验过程。 实验过程与实验3相同。但是,我们不是通过Google发起电话,而是通过(交互式)电话呼叫用户。我们用Xi和Yi来表示Xi=Yi。按Yi总是会导致再见!考虑保护您的帐户!Xi引导到下一句话。
1)Hello! This is a phone call from Google in order to reset thepassword of your Google account. Click X0 if you expected this call, and Y0otherwise. 2) Warning! Someone asked to reset your Google password. I repeat:Someone asked to reset your Google password. If you did not ask for a passwordreset code, press Y1; otherwise, press X1 3) You are about to get a code toreset your Google account password. You should never share this code withanyone else and never type it in other websites. No one from Google or otherlegitimate websites will ever ask for this code. Your code is XXXXXX. Again,your code is XXXXXX. Good bye.
1)您好! 这是来自Google的电话,用于重置您的Google帐户的密码。如果您预期此通话,请点击X0,否则点击Y0。2)警告!有人要求重置您的Google密码。我再说一遍:有人要求重置您的Google密码。如果您没有要求密码重置代码,请按Y1;否则,按X13)您即将获得一个代码来重置您的Google帐户密码。你不应该与其他人分享这个代码,也不要在其他网站上输入。Google或其他合法网站上的任何人都不会要求这个代码。您的代码是XXXXXX。再一次,你的代码是XXXXXX。再见
In each of the choices either Xi or Yi will be read first randomly.For example, in step 1 of some of the calls, instead of mentioning X0 and thenY0, the following sentence was read: Click Y0 if you did not expect this call,and X0 otherwise. Without waiting more than a second for a user to press something,our phone call lasts about 70 seconds, double that of Google’s current Englishphone call.
在每一个选择中,Xi或Yi将被随机读取。例如,在某些调用的步骤1中,不是提到X0,而是提到Y0,则读取以下句子:如果您不期望此调用,请单击Y0,否则请单击X0。用户无需等待超过一秒钟就可以按下一些东西,我们的电话通话时间约为70秒,是Google当前英语电话的两倍
Ethics. We did not initiate thepassword reset process for the participants’ Google accounts and did not savetheir details.
Participants. 45 volunteer students fromour institute that did not participate in any other experiment.
Results and analysis. None of the participantsdisclosed their code, which shows that such a phone call is very effective. Someusers failed to follow the instructions the first time. Namely, they initiatedthe phone call two or three times until they realized that they should not usethis phone call to get a code for the experiment website. Although it mightoccur also for users who really want to reset their password, we believe thatthe users will agree to bear this overhead to enhance their security.
伦理。 我们没有为参与者的Google帐户启动密码重置流程,也没有保存他们的详细信息。
参与者。来自我所的45名志愿者没有参加任何其他的实验。
结果和分析。没有一个参与者透露他们的代码,这表明这样的电话是非常有效的。有些用户第一次没有按照说明操作。也就是说,他们发起了两三次电话,直到他们意识到他们不应该使用这个电话来为实验网站获取一个代码。虽然也可能发生真正想要重置密码的用户,但是我们相信用户会同意承担这个开销来增强他们的安全性。
D. Notifications
Websites should notify their users about both password reset requestsand upon password change. The notification should be done both by sending anemail and by sending an SMS. This is especially critical when the passwordreset is done using the phone, and even more crucial for email services. If theattacker takes over an email account, he can delete the received notification.Similar to the password reset messages, the notifications must be clear.
D.通知
网站应通知他们的用户密码重置请求和密码更改。通知应通过发送电子邮件和发送短信来完成。使用手机进行密码重置时,这一点尤为重要,对于电子邮件服务更为重要。如果攻击者接管电子邮件帐户,他可以删除收到的通知。与密码重置消息类似,通知必须清楚。
Among the websites we tested (Tables II and III) that supportpassword reset using a phone, only Google sends an SMS notification after apassword change.
在我们测试的网站(表II和表III)中,支持使用电话重置密码,只有Google在密码更改后发送短信通知。
E. Alternative Countermeasures 。 备选对策
A secure password reset process can be implemented using a phonevia either SMS or phone call. An additional phone method implemented by Googlerelies on applications installed on the user’s phone. An application can prompta clear notification and initiate a password reset process that does not involveany external website. This makes the process immune to PRMitM attacks.
Another alternative for users who do not have an account is to relyon the accounts of friends. The user should give in advance email addresses orphone numbers of x friends. In the password reset process, each of the friendswill get a code. y ≤ x of the codes are required to reset the password
可以通过短信或电话使用电话来实现安全的密码重置过程。Google实施的另一种电话方法依赖于用户手机上安装的应用程序。应用程序可以提示清除通知并启动不涉及任何外部网站的密码重置过程。这使得这个过程免受PRMitM攻击。
没有帐户的用户的另一种选择是依赖朋友的帐户。用户应该提前给出x朋友的电子邮件地址或电话号码。 在密码重设过程中,每个朋友都会得到一个密码。 代码的y≤x是重置密码所必需的
In this section we describe both MitM attacks in the applicationlayer, and other techniques that can be used to overcome some of the challengesin the password reset process.
在本节中,我们将描述应用程序层中的两个MitM攻击以及可用于克服密码重置过程中的一些挑战的其他技术。
A. Application Level MitM A.应用程序级别MitM
In the attacks described in this paper, theattacker manipulates the victim into solving challenges raised to the attacker bywebsites. Previous work offered similar approach to solve CAPTCHA challenges.Egele et al. offered to overcome CAPTCHA challenges prompted by websites byprompting the same CAPTCHA challenges to visitors of other websites under theattacker’s control. Similarly, viruses and botnets like Koobface enforced theusers of infected computers to solve CAPTCHA challenges for them .
Lauinger et al. offered to perform MitM attackbetween two chatting clients, by opening a chat with each of them, and forwardingtheir input text from one chat to the other. That way, the attacker canautomatically launch social engineering attacks without designing advancedartificial intelligence bots .
在本文描述的攻击中,攻击者操纵受害者,解决网站向攻击者提出的挑战。以前的工作提供了类似的方法来解决CAPTCHA的挑战。Egele等人通过向攻击者控制下的其他网站的访问者提供相同的CAPTCHA挑战,来克服网站提示的CAPTCHA挑战。同样,像Koobface这样的病毒和僵尸网络也会强制受感染计算机的用户为他们解决CAPTCHA的挑战。
Lauinger等人提供在两个聊天客户端之间进行MitM攻击,通过与他们中的每一个打开聊天,并将他们的输入文本从一个聊天转发到另一个聊天。 这样,攻击者就可以自动发起社会工程攻击,而无需设计高级的人工智能机器人。
Another form of MitM attacks is man in thebrowser (MitB) attacks . In MitB attacks, malware takes over the browser andacts as a proxy between the user and the web. That way, the malware can obtainevery piece of information typed by the user. Moreover, the attacker canmanipulate operations done by the user. For example, to change the recipient offinancial transactions.
另一种MitM攻击形式是在浏览器(MitB)攻击中的人。在MitB攻击中,恶意软件将接管浏览器,并充当用户和网络之间的代理。这样,恶意软件可以获取用户输入的每一条信息。而且,攻击者可以操纵用户完成的操作。例如,要更改财务交易的收件人。
Another approach to gain a MitM capability thatincludes manipulation on the user, is to lure the victim to use a router controlledby the attacker. The most known attack is the evil twin attack. In the eviltwin attack, the attacker creates a WiFi access point with an innocuous name,possibly a name of a trusted WiFi access point. The attacker eavesdrops HTTPconnections of victims who connect to his rogue access point and to launchphishing attacks on them.
另一种获得包括对用户的操纵的MitM能力的方法是引诱受害者使用由攻击者控制的路由器。最着名的攻击是邪恶的双胞胎攻击。在邪恶双子攻击中,攻击者创建一个名字无害的WiFi接入点,可能是一个可信的WiFi接入点名称。攻击者窃听连接到他的恶意接入点的受害者的HTTP连接,并对他们发动网络钓鱼攻击。
Phishing attacks also load content from thewebsites to which they impersonate, creating kind of MitM between the originalwebsites and the clients to be as similar as possible to the original websites.More than a decade ago, sophisticated phishing attack was used to bypassanti-phishing system used by Bank of America. In the attack, a login phishing websiteacts as a MitM between the user and the login page of the financialinstitution, forwarding the challenges to the user and their solutions to thebank. However, this is still a phishing attack and it is not different fromother phishing attacks that impersonate a login page and imitate the loginprocedure. The PRMitM attack shows that such techniques are possible even withoutthe need of impersonation to other websites, which is the greatest challenge inphishing attacks. See more on the difference between phishing and PRMitMattacks in Section II-B.
网络钓鱼攻击也从他们冒充的网站加载内容,在原始网站和客户之间创建一种类似于原始网站的MitM。十多年前,复杂的网络钓鱼攻击被用来绕过美国银行使用的反钓鱼系统。攻击中,登录网页仿冒网站充当用户和金融机构登录页面之间的MitM,向用户及其解决方案转发挑战。但是,这仍然是一种网络钓鱼攻击,与其他仿冒登录页面和模仿登录程序的网络钓鱼攻击没有区别。PRMitM攻击表明,即使不需要冒充其他网站,这种技术也是可能的,这是网络钓鱼攻击中最大的挑战。请参阅第II-B部分有关网络钓鱼和PRMitM攻击的区别的更多信息。
Finally, in Section VII-B, we argue that duringpassword reset process, links should be used instead of codes. The authorsof recommended to use links inregistration process due to similar reasons
最后,在第VII-B节中,我们认为在密码重置过程中,应该使用链接而不是代码。 由于类似的原因,作者建议在注册过程中使用链接
B. Overcoming Password Recovery Challenges
During the password recovery process websitesuse several challenges. Some of these challenges were analyzed in previouswork. Although a human attacker can solve CAPTCHA challenges or use cheaplabor, it is desirable for the attacker to automate the process. Many methodswere developed to solve text CATPCHA. Beyond the classical optical characterrecognition (OCR) algorithms, researcher showed that attackers can abuse audioCAPTCHAs, which are often provided alongside classical CAPTCHA challenges toimprove website accessibility . As mentioned above, a MitM attack in theapplication layer can be applied to solve CAPTCHA challenges . Securityquestions is another mechanism that has been studied. Previous research showedthat many security questions are weak, either due to guessable responses (lowentropy) or due to answers that are publicly available online . These worksalso discuss ways to choose good security questions.
B.克服密码恢复挑战
在密码恢复过程中,网站使用几个挑战。其中一些挑战在之前的工作中进行了分析。尽管人类攻击者可以解决CAPTCHA的挑战或者使用廉价的劳动力,但攻击者希望自动化这个过程。许多方法被开发解决文字CATPCHA。除了经典的光学字符识别(OCR)算法之外,研究人员还发现攻击者可能会滥用音频验证码(CAPTCHA),这些验证码通常与经典的CAPTCHA挑战一起提供,以提高网站的可访问性。如上所述,应用层中的MitM攻击可用于解决CAPTCHA的挑战。 安全问题是已经研究过的另一种机制。 以前的研究表明,许多安全问题都很薄弱,要么是由于可猜测的响应(低熵),要么是由于在线公开提供的答案。 这些作品也讨论了选择安全问题的方法。
Our work discovered vulnerabilities in thepassword reset process of the most popular websites in the world. Ifwellsecured websites like Google and Facebook are vulnerable, it is reasonableto assume that many other websites that have not been surveyed are vulnerableas well.
The damage that can be caused to billions ofaccounts over many websites makes it necessary to create a relatively short listof possible problems and secure alternatives. In this section we bring such alist that can be used to audit and to secure password reset procedures inwebsites. The section begins with general guidelines and continues withinstructions about the different challenges discussed in the paper.
IX密码重置过程审计
我们的工作发现了世界上最受欢迎的网站的密码重置过程中的漏洞。如果像Google和Facebook那样安全的网站很脆弱,那么假设很多没有被调查的网站也是脆弱的。
在许多网站上可能造成数十亿帐户的损失,使得有必要创建一个相对较短的可能的问题列表和安全的替代品。在本节中,我们提供了一个可用于审计和确保网站密码重置程序的清单。本节从一般准则开始,并继续说明本文讨论的不同挑战
A. General Guidelines
We bring here guidelines that should be appliedto prevent PRMitM attacks. We do not bring known and basic principles likelimiting the number of tries in inserting the reset code, or to cancel previouscodes once a new code is required. 1) Password-reset messages (SMS, phone call,email) must include the sending website, clear explanation about the meaning ofthe code (password reset), and a warning to avoid giving this code to anyperson or website. However, even all of those elements might not be enough toprevent the attack. 2) In spite of the previous point, password reset usingeither SMS or phone call can be implemented securely. See examples in SectionsVII-B2 and VII-C. Yet, in addition to those countermeasures, the followingpoints should be considered. 3) For each supported language, the password resetmessages (SMS, phone call, email) must be sent in that language. 4) Test yourpassword reset process for every supported language separately. 5) Notify theuser when a password reset request is sent, to both the email and the phone. Ifthe password reset is done via the phone, this is even more critical. Email notificationto email account that got compromised is useless. 6) The link or the code sentto reset the password should be valid only for short time period, e.g., 1-15minutes.7) If there are several ways to reset the password for a user, automaticallydisable the less secure ones. If it is impossible to use a secure passwordreset process, contact the user in advance and offer her both to addinformation that can be used to reset her password securely and to disable the(only) insecure ways. 8) Require several details about the user before sendingthe password-reset message (SMS, phone call, email). This prevents the easyoption for the attacker to launch the attack given only the phone number of theuser, without knowing anything else about the user.
Finally, although the recommendations of thissection are given mainly in the perspective of the PRMitM attack, it is importantto note that according the NIST Digital Authentication Guideline, due to othersecurity problems (stronger attacker model) it is not recommended to rely onlyon SMS or phone calls for authentication .
我们在这里提供应该用来防止PRMitM攻击的指导原则。我们不会带来已知和基本的原则,例如限制插入重置代码的尝试次数,或者在需要新代码时取消先前的代码。 1)密码重置消息(短信,电话,电子邮件)必须包括发送网站,明确解释代码的含义(密码重置),并提醒,以避免将此代码给任何人或网站。但是,即使所有这些因素都不足以阻止这种攻击。 2)尽管有以前的观点,可以安全地实现使用SMS或者电话的密码重置。见第VII-B2和VII-C节中的例子。但是,除了这些对策之外,还应该考虑以下几点。 3)对于每种支持的语言,密码重置消息(SMS,电话,电子邮件)必须以该语言发送。 4)分别测试每种支持语言的密码重置过程。 5)当密码重置请求被发送时通知用户,电子邮件和电话。如果密码重置是通过电话完成的,这更关键。电子邮件通知到电子邮件帐户被盗用是没有用的。 6)用于重置密码的链接或代码应该只在短时间内有效,例如1-15分钟。 7)如果有多种方式重置用户密码,请自动禁用不太安全的密码。如果无法使用安全的密码重置过程,请提前联系用户,并提供给她以添加可用于安全地重置密码的信息,并禁用(仅)不安全的方式。 8)在发送密码重置消息(SMS,电话,电子邮件)之前,需要关于用户的一些细节。这样可以防止攻击者轻松选择仅给出用户的电话号码的攻击,而无需了解用户的任何其他信息。
最后,虽然本节的建议主要是从PRMitM攻击的角度给出的,但重要的是要注意,根据NIST数字认证指南,由于其他安全问题(更强的攻击者模型),不建议仅依靠短信或电话进行身份验证
B. Security Questions
Avoidrelying on security questions.Security questions are relatively easy to bypass, using either PRMitM attacksor other techniques .
Whatto do with users who do not have an alternative email account or a phone number. We offered two alternatives: (1) rely on email accounts offriends (Section VII-E), and (2) use security questions that are stronglyrelated to the user’s actions in the website (Section VII-A). The second optionis still vulnerable to other attacks and hence, less preferred. When a userdoes not give a website another email address or phone number as alternatives,the website should at least warn the user about the dangers of relying onsecurity questions, and encourage the user to move to the alternatives.
C.SMS Code
Specifythe sender name. Use SMS spoofing to give indicationabout the real sender.Do not send thecode as clear text. Many users do not read the messages and just detect andcopy the code. We offer an alternative: send SMS with detailed message and witha long link instead (Section VII-B2).
D.Phone Call
Add interactivity to the process to make surethat the users listen to the message and understand what they are doing. Forexample, after reading a detailed message, do not immediately give the code,but ask the user a few questions to make sure she understands the situation.
B.安全问题
避免依赖安全问题。安全问题相对容易绕过,使用PRMitM攻击或其他技术。
如何处理没有其他电子邮件帐户或电话号码的用户。我们提供了两个备选方案:(1)依靠朋友的电子邮件帐户(第VII-E节);(2)使用与网站中用户行为密切相关的安全问题(第VII-A节)。第二种选择仍然容易受到其他攻击,因此不太受欢迎。当用户不给网站另一个电子邮件地址或电话号码作为选择时,网站至少应警告用户依赖安全问题的危险,并鼓励用户转向其他选择。
C.SMS代码
指定发件人姓名。使用短信欺骗来指示真正的发件人。不要以明文形式发送代码。许多用户不读取消息,只是检测并复制代码。我们提供了一个替代方案:发送带有详细信息的短信和长链接(第VII-B2部分)。
D.电话
为流程添加交互性,确保用户收听消息并理解他们在做什么。例如,在阅读详细的信息之后,不要马上给出代码,而是询问用户几个问题,以确保她了解情况。
This paper introduced the PRMitM attack, whichexploits a set of vulnerabilities in password reset procedures of popular (andother) websites and mobile applications. The attack allows a weak attacker totake over accounts of many websites, including Google and Facebook and otherpopular websites we surveyed. We evaluated the attacks and pointed atvulnerabilities and weaknesses of the password reset processes.
Although simple defense like more detailed SMSmessages seems to be enough, our experiments indicate that this is not thecase. We designed defenses and evaluated them compared to the existingimplementations of Google and Facebook; our experiments show that our proposeddefenses improve the security significantly. Finally, to help the manyvulnerable websites to test and improve their password reset processes, we createda list of rules and recommendations for easy auditing.
ACKNOWLEDGMENTS
The authors wish to express their gratitude tothe Research Fund of the Research Authority of the College of Management AcademicStudies, Rishon Lezion, Israel, for the financial support provided for thisresearch.
本文介绍了PRMitM攻击,利用流行(和其他)网站和移动应用程序的密码重置程序中的一系列漏洞。这种攻击可以让一个弱小的攻击者接管很多网站的帐户,包括Google和Facebook以及我们调查的其他受欢迎的网站。我们评估了这些攻击并指出了密码重置过程的漏洞和弱点。
虽然简单的防守就像更详细的短信似乎已经足够,但我们的实验表明,情况并非如此。我们设计了防御措施,并对它们与Google和Facebook的现有实施进行了比较;我们的实验表明,我们提出的防御措施显着提高了安全性。最后,为帮助许多易受攻击的网站测试和改进密码重置流程,我们创建了一个简单的审计规则和建议清单。
致谢
作者希望对以色列Rishon Lezion管理学院研究管理局研究局的研究基金表示感谢,感谢他们为本研究提供的财政支持。