I Forgot Your Password: Breaking Modern Password Recovery Systems

Presented at ekoparty 14 (2018), Sept. 27, 2018, noon (50 minutes).

Designing a decently secure account recovery functionality, as well as a registration method is not a trivial task. During this session we'll cover the different security issues that can be found in password recovery systems such as: Users enumeration, recovery token prediction, insecure storage, Weak random password generation.

To better illustrate these concepts we will go through known reported vulnerabilities and design weaknesses in large-scale technology companies such as Google, Facebook and Microsoft.

During the second part of the session a real-world case study will be presented. We'll analyze the password recovery mechanism used in the SAP HANA platform, the flagship computing platform from SAP. We will start by explaining some basic discovered vulnerabilities, such as user enumeration through mishandled SQL errors, host header injections, SQL injections, and predictive recovery tokens. These examples will help attendees to a better understanding of the topics covered in the first part. Then, we will show a demo of an attack that uses custom JSON injection to leverage an SQL injection which allows an unauthenticated remote attacker to alter user information. By combining different vulnerabilities, we will show how it is possible for potential attackers to gain full control of the SAP Hana Database and applications.iOS

Finally, the last part of the session will be focused on providing guidance and advice to developers on how to avoid these kind vulnerabilities when developing password recovery systems.

Presenters:

• Nahuel D. Sánchez
  Nahuel Sanchez is as a security researcher at Onapsis. Being a member of Onapsis Research Labs, his work focuses on performing extensive research of SAP products and components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and is a frequent author of the publication "SAP Security In-Depth". He previously worked as a security consultant, evaluating the security of Web applications and participating of Penetration Testing projects. His areas of interest include Web security, reverse engineering, and the security of Business-Critical applications.
• Martin Doyhenard
  Martin Doyhenard is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web security and his areas of interest also includes cryptography and reverse engineering.

Links:

• http://ekoparty.org/charla-breaking-modern-password-recovery-systems.php

Similar Presentations:

• DeepSec 2013 „Secrets, Failures, and Visions“ / Trusted Friend Attack: Guardian Angels Strike
• TROOPERS17 (2017) / Protecting SAP HANA from vulnerabilities and exploits
• TROOPERS18 (2018) / I forgot Your password: Pwning modern password recovery systems through JSON injections