While the “Forgot Password” feature in web and mobile apps is meant for convenience, it can pose security risks too. Numerous web apps appear vulnerable to DNS cache poisoning if an adversary exploits the Forgot Password feature.
Forgot Password Feature Vulnerable In Web Apps
A security researcher from SEC Consult, Timo Longin, analyzed over a hundred web apps for DNS name resolution flaws. Consequently, from the 146 web apps analyzed, a majority appeared vulnerable to DNS cache poisoning via “Forgot Password” feature exploit.
Briefly, an adversary could exploit the “Forgot password” feature to redirect the subsequent password reset links to its own servers. Like the ARP Poisoning attack for networks, an attacker could settle between the DNS server and the client to hijack the incoming traffic.
Assuming an attacker can inject arbitrary DNS records into the cache of the DNS resolver used by a web application (DNS cache poisoning), he will then be able to manipulate the mapping of e-mail domains to IP addresses. A DNS name resolution of “gmail.com” therefore no longer necessarily leads to the IP address of Google’s e-mail server, but, for example, to the IP address of the attacker’s e-mail server.
That way, said attacker can receive all e-mails destined to “gmail.com”. Including password reset e-mails.
For this, the attacker could use two different techniques – the Kaminsky attack (DNS vulnerability), and IP fragmentation.
To demonstrate the attack, Longin set up a domain, an authoritative DNS (ADNS) server, and DNS proxy to resolve domain names. After that, he logged the DNS responses. Consequently, he found 2 web apps vulnerable to the Kaminsky attack and 62 web apps vulnerable to IP fragmentation.
Apart from account takeovers, these attacks could also allow SSRF and other attacks.
The researcher has shared the details of the findings in a blog post.
How To Avoid DNS Cache Poisoning?
While Longin has explained the details of the attack in the post, he hasn’t presently named the vulnerable web apps.
Nonetheless, given the possibility of many other web apps (not included in this study) being vulnerable, too, Longin recommends using a reliable DNS provider like Cloudflare, Google, or Cisco to avoid risks. Also, he has developed a separate tool, “DNS Reset Checker,” to assess the DNS resolver security of web apps.