Anyone with some time could take over a user’s account.
Security researcher Ryan Stevenson discovered a bug with internet provider Frontier’s password reset system that just shouldn’t be there. In fact, I’d hesitate to call it a bug at all. User’s that wish to change their password could easily do so online, unfortunately, so could anyone else.
The system utilized two-factor authentication, but the way it was carried out meant that the security gained by this method was null and void. Upon requesting a password reset, users are sent a six digit code to input into the system and then proceed to access their account to change the password. Unfortunately, the user had an unlimited amount of times that they could enter the code. Meaning that anyone could sit there an input codes until they discovered the right code.
Stevenson created a test account, and attempted the hack himself, easily finding his way into the account. With the system that he was using, ZDNet suspects it would take just over a day to attempt every possible 6 digit combination, and could be done even faster with an improved setup.
Since Frontier was notified of this “bug” they have taken down the portal to change passwords online. “Out of an abundance of caution, while the matter is being investigated Frontier has shut down the functionality of changing a customer’s password via the web,” said a spokesperson for the company. It is not yet known if anyone had fallen victim to this trick.