CAPEC-50 - Password Recovery Exploitation

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure. Most of them use only one security question . For instance, mother's maiden name tends to be a fairly popular one. Unfortunately in many cases this information is not very hard to find, especially if the attacker knows the legitimate user.

These generic security questions are also re-used across many applications, thus making them even more insecure. An attacker could for instance overhear a coworker talking to a bank representative at the work place and supplying their mother's maiden name for verification purposes. An attacker can then try to log in into one of the victim's accounts, click on "forgot password" and there is a good chance that the security question there will be to provide mother's maiden name.

A weak password recovery scheme totally undermines the effectiveness of a strong password scheme.






  • Attack Methods 3
  • Brute Force
  • API Abuse
  • Injection
  • Purposes 1
  • Penetration
  • Scopes 1
  • Gain privileges / assume identity
  • Authorization
  • Access_Control
  • Confidentiality

Low level: Brute force attack

Medium level: Social engineering and more sophisticated technical attacks.

The system allows users to recover their passwords and gain access back into the system.

Password recovery mechanism has been designed or implemented insecurely.

Password recovery mechanism relies only on something the user knows and not something the user has.

No third party intervention is required to use the password recovery mechanism.

For a brute force attack one would need a machine with sufficient CPU, RAM and HD.

Trial and error (brute force).

Social Engineering.

Step 1 -

Understand the password recovery mechanism and how it works..

Step 1 -

Find a weakness in the password recovery mechanism and exploit it. For instance, a weakness may be that a standard single security question is used with an easy to determine answer..

Use multiple security questions (e.g. have three and make the user answer two of them correctly). Let the user select their own security questions or provide them with choices of questions that are not generic.

E-mail the temporary password to the registered e-mail address of the user rather than letting the user reset the password online.

Ensure that your password recovery functionality is not vulnerable to an injection style attack.