INACTIVE ACCOUNT HIJACKING

author:	l0om
page:		l0om.org
date:		29.04.2009


OVERVIEW:

I would like to draw your attention on a problem that is already known and is surely exploited for a long time, but clearly seems to be underestimated.

the problem is explained quickly:
- email service provider delete inactive accounts after six or twelve months of inactivity and release the adresse (eg GMX, WEB)
- many platforms such as amazon do NOT delete inactive accounts

This asymmetry in handling inactive accounts has the consequence that thousands of accounts of various online platforms, like Amazon or eBay, can be hijacked by attackers without any technical difficulties.

The procedure is so simple that it dont needs to be mentioned:
- An attacker takes an old email address and try to register this email account at the email service provider.
- If it can be registered, it is assumed that the account has been released (or has never existed).
- Then the attacker tries at a variety of online platforms to create accounts for the just mentioned email address.
- If the registration would be successful, there is no account for this email address at this online platform registered
+ If the registration fails, because it already have an account there, there has been found a registered account for this email address and now its getting ugly.
	
an attacker can hijack the account of the online platform if he simply register the email account and now uses the forgotten-the-password-function. the attacker gets a link which can be used to set a new password. Now he has the user data and the functions of the original owner in his control. sure, some platforms e.g. ebay wont sent you the password reset link 4 free like amazon. on ebay you first have to enter some information about your person like address or your birthday. the problem is that the requested information expect answers which may be found on the internet - just think about social networks in the internet like MySpace. with use of google and the victims email address the attacker may look up such information quick. finally some "usefull" aspects of sites like 123people.com....

jeopardized are all possible online systems with such a forgotten-password-function in use.

furthermore on holidays an attacker gets newsletter emails which lead the attacker to another accounts.


AUTOMATIC:

badass@evilhost:~$ ./hippolyte.sh -h                                                                

        Hippolyte
        Your Amazons are mine...
                written by l0om (who likes to have amazons too)

                hippolyte.sh < -f email-file [options] >
                options:                                
                 -f: next argument the file with emails (seperated with \n)
                 -l: next argument the logfiles name                       
                 -v: verbose                                               
                 -p: next argument the full proxy (eg. "localhost:4001")   

badass@evilhost:~$ ./hippolyte.sh -f accounts -l output    

        Hippolyte
        Your Amazons are mine...
                written by l0om (who likes to have amazons too)
                                                         
get vaild gmx sid...done
get amazon cookies...done                            
---------- come get my belt ----------                 
check account censored-01@gmx.de at gmx.de             
check account censored-02@gmx.de at gmx.de           
   GMX account censored-02@gmx.de is free to register
   checking censored-02@gmx.de at amazon...          
      +++ possible account hijacking for censored-02@gmx.de at amazon.de
check account censored-03@gmx.de at gmx.de                                   
   GMX account censored-03@gmx.de is free to register                        
   checking censored-03@gmx.de at amazon...                                  
      +++ possible account hijacking for censored-03@gmx.de at amazon.de     
check account censored-04@gmx.de at gmx.de                                  
   GMX account censored-04@gmx.de is free to register                       
   checking censored-04@gmx.de at amazon...                                 
      +++ possible account hijacking censored-04@gmx.de at amazon.de    
check account censored-05@gmx.de at gmx.de                         
[...]

the results of the test has been terrifying because of 200 checked accounts there has been found 20 accounts to hijack, focusing only on amazon what an attacker wouldnt do. 

"hippolyte.sh" might be released in some days...


DEFENSE:

it is necessary to process as quick as possible the forgotten-the-password-function on large platforms. instead of just ask for the emailaddress to identify yourself you should be asked for eg. the last numbers of your banking account. this information shouldnt be found somewhere in the internet. this will make the efficient execution of the attack impossible.
furthermore newsletter scripts should check for delivery-faild messages caused by non existing accounts. such accounts can be deleted and should be deleted.


GREETINGS:

John K., I², Molke, McFly, Takt, Proxy, Maximilian, Theldens, Commander Jansen, detach, ole 
and last but not least Jquade


FLAMES:

salem, the knilch