The vulnerability, found by security researcher Ryan Stevenson, allows a determined attacker to take over an account with just a username or email address. And a few hours worth of determination, an attacker can bypass the access code sent during the password reset process.
Stevenson found that the access code field was not limited, allowing him to enter as many codes as he wanted. By automating the process using a network intercept tool on a test account he created, Stevenson was able to reproduce the access code.
After disclosing the bug to Frontier, the cable giant told ZDNet that an investigation is underway.
“Out of an abundance of caution, while the matter is being investigated Frontier has shut down the functionality of changing a customer’s password via the web,” said the spokesperson.
Frontier is one of the largest internet providers in the US.
Stevenson demonstrated the password reset vulnerability in a video.
Using Burp Suite, a network intercept tool widely used by security researchers, and a test account he created, Stevenson automated the sending of hundreds of six-digit access code iterations to the browser, one after the other. In the demonstration, he showed that a correct code returned a bigger server response than the incorrect codes.
When he entered the correct code on the form, he could reset the account password.
Based on our calculations, Stevenson could generate around 100 codes in 10 seconds, amounting to a little over a day to run every combination of the code. Stevenson believes that a successful attack could have been achieved far sooner with a faster connection.
Because the password reset process is initially protected by a CAPTCHA form, an attacker likely would only be able to carry out targeted attacks on accounts.
It’s not known if anyone has exploited the password reset bug.