The majority of threats related to the authentication process are associated with passwords and password-based authentication methods. But broken authentication also causes a significant amount of vulnerabilities. Broken authentication occurs when the implementation of the authentication process is flawed. Unfortunately, this is usually hard to discover, and can be more severe than the risks associated with passwords.
This blog post explores the security vulnerabilities that are commonly found in the authentication and password process of a software application. It will also discuss common attack vectors that are used to exploit weak authentication processes.
Logical flaws are a common source of vulnerabilities in software applications and affect the authentication process in the same way. Flawed assumptions about user behaviors, excessive trust in the user inputs, and enforcement of security control only under specific conditions are typical examples of vulnerable authentication logic.
Often security controls are only enforced during the authentication process. Exploiting weak account and password recovery processes is common and involves misusing the “forgot account” or “forgot password” process. For example, in 2016, a security researcher found a way to exploit Google’s account recovery feature, which allowed them to hijack the victim’s account entirely.
Modern software is written with many dependencies. A vulnerability in the authentication dependency can bite back the whole authentication process. For example, an authentication flaw in WordPress Infinite WP Client and WP Time Capsule plugins let anyone log into the WordPress administrator’s account without any password.
Authentication should be a continuous process. But asking users to prove credentials at each step is impracticable. That’s why authentication states are kept in a stateful session. A vulnerability in session management allows a malicious user to ride on a valid authenticated session without the need for authentication. Improper user logout functionality, lack of session timeouts, and insecure practices of storing session data in non
httponly cookies, web pages, or browser storage are common vulnerabilities related to session handling.
Rate limiters and lockout processes prevent brute-force attacks. The lack of this functionality opens many other ways to exploit authentication processes such as password cracking, user enumeration, and denial of service.
Two-factor authentication (2FA) is a proven way to improve the security of the authentication process. But a flawed implementation can let malicious users completely bypass the 2FA, nullifying the security advantage. For example, researchers at Duo Labs successfully bypassed PayPal’s two-factor authentication. The vulnerability was that the PayPal REST API had insecure enforcement of two-factor authentication when authenticating using OAuth. Similarly, in another recent case, Varonis researchers found a way to bypass Box’s two-factor authentication. The vulnerability was that the feature that allowed a user to disable 2FA did not require any authentication, so anyone could disable the victim’s 2FA.
Additionally, 2FA based on SMS and phone-based verification are equally considered insecure.
In the simplest terms, password-based authentication includes comparing a password stored in a server with a password supplied by the user. Technically, this comparison can be made with a simple string comparison or by verifying hash functions. Hash functions are recommended as they avoid storing passwords in clear text on the server. But using insecure hash functions such as MD5 which are known to be crackable aids attackers in retrieving passwords from stolen hash values.
Allowing usage of common, default known passwords or allowing users to set weak entropy passwords create an authentication risk since such passwords are easy to crack. Poor password security enforcement will eventually impact the security of the authentication process.
While some vulnerabilities — such as weak passwords and known vulnerable dependency libraries — are easy to exploit, exploiting logical flaws is more challenging and requires a manual attack process. But the most considerable risk might just be tricking users into giving away their credentials. We can classify the attack vectors most commonly used to compromise the authentication process in two ways:
Compromising passwords: Phishing is a popular adversarial technique to trick users into giving away credentials such as passwords and PINs and is one of the most potent attack vectors. Phishing has a higher success rate than many other attack vectors which explains its popularity. Similarly, brute-force password-cracking techniques are equally popular. Dictionary-based attacks and rainbow table attacks are also common password-cracking techniques.
Manual exploitation of logical flaws: Manual exploitation includes interception of raw HTTP requests and responses and maliciously manipulating the intercepted data to exploit logical flaws.
SQL injection: SQL injection involves the insertion of raw SQL queries that can retrieve unauthenticated data, unauthorized data, or even change the logical behavior of the application. In the context of authentication, SQL injection can spill the credentials stored in the database or affect the authentication logic, allowing an attacker to log in without authentication. Learn more about how SQL injection attack works.
Although passwords and password-based authentication methods induce most of the vulnerabilities and threats related to authentication, logical flaws, and insecure implementation also cause many problems. Besides the vulnerabilities mentioned in this blog post, it is essential to mention that insecure practices by employees can be a significant vulnerability related to the authentication process. After all, employees are the weakest link, and attack vectors such as phishing attacks are designed to exploit this vulnerability.
Just as with the case of application security, vulnerabilities in the authentication process related to infrastructure access can be severe. Remoteler enables certificate-based passwordless authentication to infrastructure resources which eliminates the risks associated with passwords. Additionally, support for single sign-on(SSO) dramatically reduces the probability of logical flaws related to the authentication process. Learn how Remoteler certificate-based authentication works.