Frontier exposed password reset vulnerability
Text to Speech Demo
Frontier is a U.S. provider of voice, video, and Internet services and one of the largest Internet providers in the United States. In addition to providing local and long-distance phone services, Frontier also provides broadband network services, digital television services, and computer technical support services in the United States.
According to ZDNet, the password reset vulnerability discovered by security researcher Ryan Stevenson allows attackers to bypass the access code sent during the password reset process, allowing an attacker to log in with only one username or e-mail address, let’s attacker take over other people’s accounts.
Image: Frontier
Stevenson explained that he found that the access code field is not restricted, allowing him to enter as much code as possible. He can automate the process by using network interception tools on a test account he created so that he can fully reproduce the access code.
After revealing the vulnerability to the Frontier platform, the founder of the telecommunications giant told ZDNet that the investigation was underway. The spokesperson said: “Out of an abundance of caution, while the matter is being investigated Frontier has shut down the functionality of changing a customer’s password via the web.”
Stevenson demonstrated the exploitation of the vulnerability through a video. The network interception tool he used in the test is called Burp Suite. It is an integrated platform that is widely used to attack Web applications and contains many tools.
As he described, automated processes can send hundreds of six-digit access codes one by one to the browser until the correct code is found. The correct code will return a larger server response than the error code, and this code can be used to reset the account password.
According to the video presentation, the automated process created by Stevenson can generate about 100 codes in 10 seconds. It takes about one day to run each code combination. However, Stevenson believes that if you have a faster connection speed, then this time will be greatly reduced.
Gloss