I Forgot Your Password: Breaking Modern Password Recovery Systems presented at ekopartySecurityConference 2018

by Nahuel Doyhenard,

Summary : Designing a decently secure account recovery functionality, as well as a registration method is not a trivial task. During this session we’ll cover the different security issues that can be found in password recovery systems such as: Users enumeration, recovery token prediction, insecure storage, Weak random password generation. To better illustrate these concepts we will go through known reported vulnerabilities and design weaknesses in large-scale technology companies such as Google, Facebook and Microsoft. During the second part of the session a real-world case study will be presented. We’ll analyze the password recovery mechanism used in the SAP HANA platform, the flagship computing platform from SAP. We will start by explaining some basic discovered vulnerabilities, such as user enumeration through mishandled SQL errors, host header injections, SQL injections, and predictive recovery tokens. These examples will help attendees to a better understanding of the topics covered in the first part. Then, we will show a demo of an attack that uses custom JSON injection to leverage an SQL injection which allows an unauthenticated remote attacker to alter user information. By combining different vulnerabilities, we will show how it is possible for potential attackers to gain full control of the SAP Hana Database and applications.iOS Finally, the last part of the session will be focused on providing guidance and advice to developers on how to avoid these kind vulnerabilities when developing password recovery systems.