Educause Security Discussion mailing list archives
Re: ADP: A Tale of Two Password Reset Portals
From: Shawn Merdinger <shawnmer () GMAIL COM>
Date: Wed, 1 Jun 2016 10:42:20 -0400
ADP response: <snip> "Currently the https://ipay.adp.com/iPay/login.jsf is employing a simplified password reset flow based on the feedback from clients. The methodology was designed to help offset some of the overhead clients were experiencing from the flow currently in use via Portal. By sending the security code to an email or mobile phone the flow met an acceptable level of security and helped reduce the need for administrator intervention due to issues such as forgotten challenge question answers. After discussing the current behavior with our Product and Security divisions the decision has been made to revisit this simplified password reset flow. We are working on a solution that will continue to provide an improved user experience without introducing the potential for increased risk. At this time we do not have a timeline for making these changes but this has been given a top priority." </snip> Cheers, --scm On 5/10/16, Shawn Merdinger <shawnmer () gmail com> wrote:
Hi List Folks, Maybe some are aware of this, but it was new info to me. Fwiw, targeted attacks to obtain ADP access and payroll/W-2 info are actively using the Pathway Two method when an attacker gains control over a target's email account. I expect most folks resetting a forgotten ADP password go Pathway One. Give Pathway Two a try to really get a feel for the issues. The user condition is that one has "activated" their email address with ADP. So, what's the issue? If you have "activated" your email account with ADP, an attacker who obtains control of your email can reset the ADP password, _without answering the custom security questions_, via Pathway Two. Also via Pathway Two, an attacker can obtain a ADP login username -- just by knowing the first and last name and "activated" email address of the target....extraneous information disclosure for sure, and a juicy harvesting opportunity for some really targeted attacks, including social engineering as the attacker can control timing of the "Attempt to retrieve your User ID” email sent to the user (as in "Hi, I'm from ADP security and am going to walk you through the password reset as a safety measure...did you get the user look-up email just now? Great...let's continue to the next steps..."). [ Pathway One ] Goal: Recover forgotten password Attacker condition: Obtained user email credentials and email access User condition: Activated email address with ADP after setting-up account Steps: Browser to https://portal.adp.com/ Click “Forgot Your Password?” Browser redirects to https://netsecure.adp.com/ilink/pub/forgotpassword/index.jsp Steps 1-5 dialog 1. User ID 2. Reset Method Choice (Choose send temp password to email) 3. Security Question #1 ← ATTACKER MUST KNOW THIS ANSWER 4. Security Question #2 ← ATTACKER MUST KNOW THIS ANSWER 5. Confirm send password and Confirmation screen Login with temp password sent to email Change password using temp password for field 1, new password for fields 2, 3 Email sent subject “ADP Generated Message: Password Change” [ Pathway Two ] Goal: Recover forgotten password Attacker condition: Obtained user email credentials and email access User condition: Activated email address with ADP after setting-up account Steps: Browser to https://ipay.adp.com/iPay/login.jsf Click “Forgot Your User ID/Password?” Redirects to https://netsecure.adp.com/ilink/pub/smsess/forgot/theme.jsp Dialog box Enter first name Enter last name Enter email Result discloses ADP login username just by knowing target name and email...wow Email sent subject “ADP Generated Message: Attempt to retrieve your User ID” Click “I don’t know my password” option Choose send to email on “Your security code” option Email sent subject “ADP Generated Message: Security Code” Enter security code in dialog box within 15 minutes Reset password Email sent subject “ADP Generated Message: Password Change”
Current thread:
- ADP: A Tale of Two Password Reset Portals Shawn Merdinger (May 10)
- Re: ADP: A Tale of Two Password Reset Portals Shawn Merdinger (Jun 01)