Internet service provider Frontier Communications - which recently entered a partnership with Nokia to deploy 10-gigabit internet - has been found to have a flaw on its website which could allow an attacker to reset an account password with just a username or e-mail address.
Security researcher Ryan Stevenson discovered that the password reset process requires a two-factor code, presumably sent to the account owner's e-mail or phone number, but that it doesn't impose a limit on the number of attempts that can be made in inserting the code.
While manually typing in every possible combination would take unreasonable amounts of time, using dedicated software can significantly speed up the process, which is exactly what Stevenson did. Using a network intercept tool and a test account, he automated the entry of codes into the text field at a much faster rate and discovered that the correct code triggered a bigger server response than wrong codes did, making it easy to tell which of the attempts was correct.
The flaw was reported to Frontier and the company says that it's investigating. Furthermore, the ability to reset passwords via the website has temporarily been removed "out of an abundance of caution".
Frontier isn't the first communications provider in the U.S. to be affected by such an issue, as a bug on T-Mobile's website was found to expose customer data without much in the way of protection. Interestingly, that flaw was also discovered by Ryan Stevenson.
Source: ZDNet
1 Comment - Add comment