WebApp Sec mailing list archives
RE: Example of the worst passwd recovery interface
From: "Marc Heuse" <Marc.Heuse () nruns com>
Date: Thu, 4 Aug 2005 10:28:42 +0200
if this is the worst you have seen, you havent seen much :-) I once saw once one where you could specify the email address to send the password to ... amazing. Or the "security questions" with the best one: "what is your favorite colour" :-) but to bring at least a little value to this response: there is another problem in the "send me my password" page you found: it also shows you if a userid exists or not, hence it makes brute forcing accounts + passwords easier. cheers, marc ==================================================================== Marc Heuse n.runs GmbH Mobile Phone: +49-160-98925941 Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10 ==================================================================== -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Mittwoch, 3. August 2005 22:59 To: webappsec () securityfocus com Subject: Example of the worst passwd recovery interface I think Citrix has implemented the most insecure password recovery webpage of all time. Here is the link to their password recovery page: https://secureportal.citrix.com/MyCitrix/Register/RemindPassword.aspx All the user has to do is type in an citrix userid, and the systems sends an password reminder to the email address on the account. Nothing terribly insecure with this. "However the web page also displays the email address to which the reminder was sent." Try my Citrix id: saqib1 So esentially if you have the citrix id of a user, you can get their email address. Getting the Citrix ID is pretty easy process. All the IDs are listed in Citrix Online Discussion Forum: < http://support.citrix.com/forums/index.jspa > Also you can potentially create a email flood for any registered users on the citrix website. the process can be eaily automated. If I remember correctly, Citrix stated in their Privacy Policy, that the email address of the registered will not be displayed on their web pages. So I guess they are voilating their own policy as well. I think Citrix's password recovery webpage is a good example of how NOT to design password recovery webpages. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- Example of the worst passwd recovery interface Saqib Ali (Aug 03)
- RE: Example of the worst passwd recovery interface Marc Heuse (Aug 04)
- RE: Example of the worst passwd recovery interface Irene Abezgauz (Aug 04)
- Re: Example of the worst passwd recovery interface Saqib Ali (Aug 11)
- Re: Example of the worst passwd recovery interface Saqib Ali (Aug 04)
- RE: Example of the worst passwd recovery interface Irene Abezgauz (Aug 04)
- Re: Example of the worst passwd recovery interface Christopher Canova (Aug 04)
- Re: Example of the worst passwd recovery interface Yousef Syed (Aug 04)
- Re: Example of the worst passwd recovery interface Javier Fernandez-Sanguino (Aug 05)
- <Possible follow-ups>
- RE: Example of the worst passwd recovery interface Wall, Kevin (Aug 06)
- RE: Example of the worst passwd recovery interface Marc Heuse (Aug 04)