Posted by: David Harley | June 19, 2015

Webmail: how password recovery can be abused

short video by Symantec demonstrates how a password recovery mechanism for webmail services can be abused if an attacker knows your cell phone number and you’ve registered the phone for password recovery/reset: basically, the attacker can click on the ‘I forgot my password’ link so that a verification code is sent to that phone number by SMS. While the attacker doesn’t see the text from the provider directly, he’s then able to text the potential victim, pretending to be the provider, and requiring the victim to return the code in order to counter unusual or unauthorized activity on the account. If the victim does so, his account is wide open to compromise.

A recent blog by Graham Cluley summarizes the scam rather well, and John Leyden’s article for the Register covers much the same ground. However, there’s more to be said on this type of attack (including a potential email variation), and I intend to do just that in an article due to be published on Monday by Infosecurity Magazine. (Now published here.)

David Harley

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: