Stealing passwords?

General technological topics without their own forum go here

Stealing passwords?

Post by mitch8910 on Sat Dec 28, 2013 7:52 am
([msg=78626]see Stealing passwords?[/msg])

So I have just found this website and have spent a few hours on it doing some of my first tasks, and I think I have gone well so far with little experience only in java and HTML, and I have already learnt a fair bit. :)

What I want to know is: Is it possible to gain a password on a website using "tamper data" like is done in basic 5.

A method I thought of was selecting "forgotten password", which sends the users password to their email, I found one website where you can either enter the username or email to recover the password, I tried this method using an active username from the site and tampering the data putting in my email where I thought I should. But it didn't work.

So my question, is this possible? And is so, any ideas on how I could get this to work?

- Mitch
mitch8910
New User
New User
 
Posts: 1
Joined: Sat Dec 28, 2013 1:17 am
Blog: View Blog (0)


Re: Stealing passwords?

Post by Goatboy on Sat Dec 28, 2013 12:32 pm
([msg=78627]see Re: Stealing passwords?[/msg])

You're misunderstanding how password reset functions work.

When you click "I forgot my password" it asks for either the username or the email. If you type in the email, the site uses it to look up the associated username and sends it to you in an email along with a link to reset the password. Likewise if you enter in the username, the site uses that to look up the email and does the same. A secure site should *never* be able to just send you the password, nor should it allow you to choose what email to send a password reset to. Along those lines, the link should be randomized so people can't just go to "http://www.somesite.com/forgot.php?user=goatboy&action=reset". Extra credit should be given for sites that enforce a time limit on the link. You could even argue that it should be by email lookup only and not username, so someone who tries to break in would need knowledge that typically isn't attached to each post.

Now as for Tamper Data, that only captures traffic going into or out of the browser. Since the password is never sent in plain text (at least on any mildly secure system) and it is sent to an email, there is no way Tamper Data will see it.

Does this make sense?
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2753
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests