Broken User Authentication
Authentication is one of the foremost processes of verifying a user’s credentials. A vulnerability in this process that could result in the exposure of an application’s services and data is called Broken User Authentication. In recent years, Broken User Authentication web attacks have accounted for some of the most infamous data breaches and are deemed to be a high-priority topic among the cyber security community. OWASP (Open Web Application Security Project) had listed Broken User Authentication as the second most commonly faced vulnerability in their API Top 10 list in 2019. In this article, we will be looking at what Broken User Authentication is and how one could take measures against it.
What is Broken User Authentication?
A web application authenticates a user by validating the credentials before proceeding further into the application. If the API for this validation process returns a positive result without proper credentials, then it means that there is a Broken User Authentication vulnerability in the app.
Broken User Authentication is a web security vulnerability that occurs when an unauthorized user impersonates a legitimate one and accesses a web application without proper credentials. This creates a rupture in the integrity of the authentication process, which can result in the compromise of passwords, key or session tokens, and other sensitive user information. This occurs primarily due to improper credential and session management leading to compromisation of security. We will be trying to understand Security compromises in detail in the following section.
Types of Security Compromises
- Credential Management: Credentials serve as the keys to a plethora of platforms, tools, and services that a user or an organization can use to access sensitive data. They are classified as confidential to prevent the third party from accessing the application’s resources. Companies with poor credential management systems may face adverse consequences like a breach of data, operational disruption, reputational damage, etc. Some of the common methods used by hackers to compromise security are:
- Credential stuffing: Credential stuffing is the brute force approach of trying to gain access using a set of leaked or stolen credentials. Numerous passwords and usernames are leaked from insecure websites. These credentials are collected by hackers and are used to try and gain access to other websites. If a user reuses their credentials on multiple websites then it gives the hacker easy access to sensitive information. When web applications do not verify requests via captcha, credentials alone would be enough to gain access to restricted platforms. To prevent this, a user can follow proper credential management and avoid reusing passwords and other sensitive information.
- Password spraying: Password spraying uses a set of passwords that might be used frequently or can be easily guessed. Many web applications have automatic lookouts to counter brute force attacks. Commonly used brute force attacks bombard different combinations as a single user. Password spraying, though a type of brute force attack, generally slips past automatic lookouts as it only tries a single password one user at a time.
- Session Management: Another security compromise that can lead to Broken User Authentication is improper Session Management. Session Management is responsible for monitoring and maintaining sessions between web apps and users. A session begins when the authentication of a user is successful. Then it assigns a session ID which allows communication between the user and the application. Sensitive information is exchanged between the application and the user with the assigned session ID, which can be stored in secure cookies. Common methods of session management compromises are as follows:
- Session hijacking: A session ID, when accepted, will stay the same and continue to exist till the session gets terminated. When such a session is left unterminated from a non-personal device, hackers can continue the session on the device and extract sensitive information from it.
- Misconfigured session timeouts: In this scenario even after the user logs out, information can be compromised via cookies. A session cookie is a transient cookie that does not get stored in any device but it has information about what the user types and where they navigate during that session. When hackers gain access to these cookies, they can extract sensitive data used in a particular session with ease.
To understand the adverse effects of Broken User Authentication, let’s explore a real-life incident that happened with “Balboa Water Group” in the year 2018.
Smart Hot-tubs from Balboa had a vulnerability in their method of authentication. These devices contain a wifi access point onto which a user may connect his mobile application. The company had used static credentials and failed to authenticate its users. It was also noted that all Hot-tubs from the company had the same hotspot/WiFi ID prefixes (started with “BWGSpa_”).
With the aid of the public WiFi hotspot catalog from the internet, hackers were able to gather the static credentials and gained control over the hot tub. Additionally, the company had provided remote access through an API, hence it was possible to discover the geolocation through websites like wiggle using only an SSID.
It can be inferred from this incident that ignorance of security enforcement can lead to catastrophe. This means companies must go through a rigorous test of security before making their products available to the public.
How to improve your security?
Broken User Authentication can have damaging effects on your app, and your organization. Here are a few steps that can help you avoid this vulnerability:
- Multi-Factor Authentication: This is a method used to add one or more extra layers of security during the login process. For example, after a user enters the usual username and password, an additional OTP is sent to their email or SMS. This could help mitigate Broken User Authentication attacks.
- Customized/Unique passwords: Reputed organizations like Paypal and Binance have mandated the user to have customized and unique passwords, which cannot be breached by brute forcing or using a dictionary or other such common attacks. The general norm that is followed nowadays is to have a minimum of one capital letter, one small letter, one symbol, and one number in their passwords, and a minimum length of eight characters. This prevents password spraying attacks and significantly reduces the risks.
- Hashing your Password Storage: If passwords are stored as plain text without any encryption, it becomes easy for hackers to access these passwords, and potentially compromise large amounts of confidential data. Using hashing makes it immensely difficult for passwords to be cracked just by guessing them with the help of the hashed version. This greatly preserves the integrity of the password.
- Breached Password Detection: Users can be notified about all activities concerning their sensitive information. When hackers gain access to sensitive data and the password is breached, the user can be notified about this activity. If the activity was not performed by the user, the user can take steps to block access to the data until the password is changed. This feature enables timely action to be taken to prevent data theft.
- Invalidate Session IDs at end of a session: A unique session ID is given and that marks the beginning of a session where the transfer of sensitive and confidential data takes place between users and applications. The session, if left active/running after the interaction is complete, makes it easy for hackers to get the data used in the session. The server perceives anyone accessing it in the same session as the same person. It is necessary to terminate the session and invalidate the session IDs once a session is over.
- Encrypt API calls: Recent developments have seen a massive rise in data stored in the cloud. This means data belonging to multiple users is stored in one particular cloud platform in containers, which can be accessed using APIs. Hackers can use tools like Wireshark and other packet tracers to hijack the data traveling via these APIs, so you must encrypt the containers to prevent such attacks, and must send encrypted data in APIs.
Broken user authentication is a common, yet preventable vulnerability in web applications. Awareness of the nature of this particular problem and improvements in code security as well as runtime security can help companies go a long way in preserving the integrity of confidential information. Attacks can also be prevented by educating users on the different methods by which they can protect themselves from such attacks and vulnerabilities.