CAPEC-50

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Medium Severity: High
Password Recovery Exploitation

Description

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.

Prerequisites

The system allows users to recover their passwords and gain access back into the system.

Password recovery mechanism has been designed or implemented insecurely.

Password recovery mechanism relies only on something the user knows and not something the user has.

No third party intervention is required to use the password recovery mechanism.

Mitigations

Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.

E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.

Ensure that your password recovery functionality is not vulnerable to an injection style attack.

Skills Required

[Low] Brute force attack

[Medium] Social engineering and more sophisticated technical attacks.