How a script weakness in Mail.com’s password reset page cost Partap Davis $3000

5 03 2015

The Verge has posted an article of Partap Davis who lost his money being hacked overnight.

While he slept, an attacker undid every online security protection he set up. By the time he woke up, most of his online life had been compromised: two email accounts, his phone, his Twitter, his two-factor authenticator, and most importantly, his bitcoin wallets.

All of those accounts got hacked primarily because his main email address in mail.com was taken by the online perpetrator.

For simplicity’s sake, we’ll call her Eve.

How did Eve get in? We can’t say for sure, but it’s likely that she used a script to target a weakness in Mail.com’s password reset page. We know such a script existed. For months, users on the site Hackforum had been selling access to a script that reset specific account passwords on Mail.com. It was an old exploit by the time Davis was targeted, and the going rate was $5 per account. It’s unclear how the exploit worked and whether it has been closed in the months since, but it did exactly what Eve needed. Without any authentication, she was able to reset Davis’ password to a string of characters that only she knew.

Read the full article here:
http://www.theverge.com/a/anatomy-of-a-hack

Advertisements