The fourth part of the series will comprehensively introduce you to another common cyber vulnerability, broken authentication. The previous pieces in this series have covered injection vulnerabilities, buffer overflows, and sensitive data exposure.
What Is Broken Authentication?
Broken authentication is a broad category with various other security flaws bundled as a whole. Any security flaw generated due to an error in the implementation of authentication and session management falls under broken authentication. With such diversity, it is difficult to find common grounds between these vulnerabilities. But this is an evident security risk as OWASP list of 10 most critical web application security risks still rate “broken authentication,” formerly “broken authentication and session management” as No. 2 on their list. This list is updated regularly and yet, broken authentication risk has maintained its position .
These days, many websites ask their users to log in to avail access to its services. Usually, this login system possesses a username and an associated password. This pair of the right credentials generates a unique session ID for each of its account holders. It is combined to identify the unique identity of the associated user. If this isn’t implemented correctly, an impostor can misuse the situation.
In simpler words, broken authentication attacks allow the perpetrator to either gain access or bypass the user authentication system of a web application.
Five Identity Attacks Exploiting Broken Authentication
The integrity of traditional methods of storing usernames and passwords in a database can be considered to be broken authentication. Sensitive data are transferred to cloud applications, giving easy accessibility to its users to log in from anywhere. The accessible-anywhere feature is making it challenging for traditional methods to secure various potential vulnerable entry points.
These five identity attacks can exploit broken authentication and impact your organization negatively, discussed as follows:
1. Broad-based Phishing Campaigns
Gaining access to a few accounts, especially admin accounts, can compromise the entire organization’s data. This type of data compromises generally uses social engineering or phishing methods. Verizon’s 2019 Data Breach Investigations Report reveals that 29% (an approximate of one-third) of successful data breaches use stolen credentials to gain access to unauthorized accounts .
2. Spear Phishing Campaigns
Unlike broad-based campaigns, spear phishing is a targeted attack that requires research. Spear phishing focuses on small organizations with limited employees to evade automated filters. This small group is then targeted by the attacker using personal messages or malicious call-to-action rewards.
3. Credential Stuffing
It is a brute-force attack that gains advantage thanks to challenges that a user faces with maintaining different pairs of usernames and passwords for dozens of different websites. Cybercriminals use the compromised credentials to get access to other online accounts. Telesign Consumer Account Security Report highlights that 73% of online accounts can gain access to unauthorized accounts using duplicate passwords .
4. Password Spraying
Password Spraying is another form of brute-force attack. Under this attack, users using the most common passwords fall prey to attackers. These most often used passwords should match the complexity policy of the domain. So, instead of trying multiple passwords for the same account holder, the attacker uses the commonly used passwords for various users.
5. Man-in-the-Middle Attacks
The highly targeted attack allows the attacker to gain access to data-in-transit and pose as the lone owner of the account. This attack can be executed properly with session hijacking or intercepting a dedicated network connection. Even the encrypted data under such an attack is vulnerable to the tactics of a malicious attacker. To decrypt the data, the perpetrator can trick the victim into downloading a malicious certificate.
Is Your Account Susceptible to Broken Authentication (and Session Management) Attacks?
The credentials for your account can be compromised if:
- User authentication credentials are stored in plain format or without using hashing and encryption
- If the website is relying on weak account management functions (such as account creation, change/recover password and weak session IDs), then sensitive credentials can be easily guessed or overwritten
- URL rewriting—Sometimes URL exposes the session ID
- Session fixation attacks can compromise the session IDs
- If session value doesn’t time-out or doesn’t become invalid even after the session has been logged out
- If session IDs remain the same even after every login; they should rotate after each successful login
- Passwords, session IDs/token, or credentials when transmitted over an unsecured network connection
Impact of Broken Authentication
Broken authentication targets passwords, keys, session tokens, or other entities dealing with the user’s identity. The broken authentication and session management flaws permit attackers to target a specific or group of account holders. If the attacker is successful, they get full access to the account and can harm the victim in many ways. The attacker can cause reputational and financial loss. They can act as an impostor to malign the personal relationships of the victim, too. Selling the compromised credentials to the other party is another possibility.
In 2018, cybercriminals made 30 billion login attempts, highlighting the credential-stuffing attacks. The attacks were automated and performed through miscreant leverage bots .
Even recently, in February, multiple credit unions in the USA were hit by a highly targeted, malware-laced phishing campaign. The malicious campaign circulated phishing emails, impersonating as compliance officers from different credit unions .
How to Avoid Falling for Broken Authentication Attacks?
If you pay attention to the listed tips, then you can avoid this situation.
- Password Length—Generate a minimum of eight-character long password. This step helps your password to stand a chance against the brute-force attack.
- Password Complexity—Keep your password alphanumeric (lower-case and upper-case letters, punctuation marks, symbols, and numbers), which increases its complexity.
- Error Responses—In case the authentication request fails, the failure response should be generic “Invalid username and/or password.” It should not prompt the specific reason for the failure (such as “Invalid username” or “Invalid password”).
- Protection Against Brute-Force Attacks—Limit the number of invalid login attempts, after which disable the account for a specific period. This limitation will discourage the attacker.
- Multifactor Authentication—Ensure that your accounts are set up using at least a two-factor authentication process. This will make it more difficult for the attacker to gain access to your account.
Broken authentication is happening more frequently than anyone of us can anticipate. Don’t fall for the trap of cyber attackers when you can follow the prevention steps to avoid such attacks.
Keep an eye out for the last part of this series where we will introduce you to security misconfiguration!