What is Broken User Authentication (BUA)?

In this blog, we will explore the issue of API2:2019 Broken User Authentication and how it can lead to serious security vulnerabilities in web applications.

But before we dive into broken user authentication, let’s first understand what authentication is.  Authentication is like a bouncer at a fancy nightclub. Just like the bouncer checks IDs to make sure only authorized guests are allowed into the club, authentication checks to make sure only authorized users are allowed access to a web application. Imagine you're trying to log into your online shopping account. The application asks for your username and password, kind of like the bouncer asking for your ID. If the information you provide matches what the application has on file, you're granted access, just like the bouncer letting you into the club. 

What is broken authentication?

Now imagine, you're trying to log into the same online shopping account, but no matter what you do, you just can't get in. You've tried every password you can think of, but the site keeps telling you that you're entering the wrong information. Frustrated, you decide to reset your password. But when you go to do that, you realize that the site's password reset feature isn't working either. At this point, you might start to panic. What has happened? The site's user authentication system has been compromised. Someone may have gained unauthorized access to the system and changed your password, rendering it useless. This type of security vulnerability is known as broken user authentication, or BUA.

BUA is a major issue for web applications, as it allows attackers to potentially gain access to sensitive information or even take over entire accounts. It can happen for a variety of reasons, such as using weak passwords or failing to properly manage passwords or the lack of proper security measures such as two-factor authentication and the CAPTCHA mechanism.

Example attack scenarios:

One of the primary ways that attackers exploit broken user authentication is through brute-force attacks. In a brute-force attack, the attacker will use automated tools or scripts to try many different passwords or OTPs in rapid succession to bypass authentication and gain access to the system.

Scenario 1:

In this scenario, an attacker is attempting to take control of a victim's account by initiating the password recovery process. They do this by making a POST request to the password-reset endpoint: POST /identify/api/auth/password-reset HTTP 1.1

This triggers the application to send a four-digit OTP code to the victim's email. The attacker then tries to reset the victim's password by redirecting to the verification endpoint and providing the correct OTP.

Verification endpoint: POST /identify/api/auth/v3/check-otp HTTP 1.1

The check-otp endpoint doesn’t have a rate limit protection. Hence, to guess a correct OTP, the attacker can perform a brute-force attack to test all possible combinations for a four-digit OTP by using tools like – Intruder(Burp suite) or any automated script.

Scenario 2:

Another common tactic used by attackers is known as Credential Stuffing. In this attack, the attacker will use specialized tools to guess the user's password based on common patterns and known information about the user. This can include personal information such as the user's name, birthdate, or other common words or phrases.

For example : Imagine you're an online shopper, looking for the best deals on the latest gadgets. You've been careful to use unique, strong passwords for all of your accounts, so you feel confident that your personal information is safe. But little do you know, your password has already been compromised. A hacker has obtained a list of username and password combinations from a data breach and is now using a credential-stuffing tool to try those combinations on various websites and online services. Suddenly, you start getting notifications from your bank and credit card company about suspicious activity on your accounts. You quickly realize that the hacker has found a match and is now using your account to make purchases and drain your funds.

What’s the Impact?

Broken user authentication can have serious consequences for both individuals and organizations. Some potential impacts include:

1. Loss of personal or confidential information: If an attacker is able to gain access to a user's account, they may be able to view and steal sensitive information such as financial data, personal identification, or confidential business documents.

2. Loss of control over accounts: An attacker who is able to reset a user's password and gain access to their account can take control of that account and use it for their own purposes. This can include sending spam or phishing emails, making unauthorized purchases, or posting malicious content.

3. Damage to reputation: If an attacker is able to access and misuse a user's social media or other online accounts, it can damage the user's reputation and cause harm to their personal or professional relationships.

4. Financial loss: Broken user authentication can result in financial losses for both individuals and organizations. For example, an attacker who gains access to a user's financial accounts could drain their funds or make unauthorized purchases, leading to financial losses for the user.

How to prevent?

There are several steps that individuals and organizations can take to prevent broken user authentication:

1. Use strong, unique passwords: Use a combination of upper and lowercase letters, numbers, and special characters to create strong passwords that are difficult to guess or crack. Use a different password for each account to reduce the risk of credential stuffing attacks.

2. Use strong secret keys: Use strong keys for password encryption or for auth token generation. RSA256 is a proven strong key. Also ensure that the keys are rotated periodically and stored securely in a Key Management System. 

3. JWT specific measures: If you are using JWT as an authentication token, verify expiration date and algorithm (NONE checks). On the server side, ensure a thorough JWT verification. Use a standard library as far as possible. 

4. Ensure tokens expire: Ensure tokens expire on logout, reset password etc. Tokens generated for invitation APIs should be reset if the user re-initiates the invitation flow.

5. Enable multi-factor authentication: Multi-factor authentication adds an extra layer of security by requiring users to provide additional authentication methods, such as a security token or a one-time password sent to their phone. This makes it much harder for attackers to gain access to accounts.

6. Implement rate limiting: Rate limiting limits the number of attempts a user can make to log in or reset their password within a certain time frame. This can prevent brute-force attacks and make it harder for attackers to gain access to accounts.

7. Regularly update passwords: Regularly update passwords to make them more difficult to guess or crack. Set passwords to expire after a certain period of time and encourage users to create new, unique passwords when prompted.

8. Educate users: Educate users on the importance of strong, unique passwords and the dangers of credential stuffing and other types of attacks. Encourage them to be vigilant about protecting their accounts and to report any suspicious activity.

9. Regularly test for broken authentication: You can use API security testing tools such as Akto to test the strength of passwords, check for vulnerabilities in multi-factor authentication systems, and look for signs of brute-force or credential stuffing attacks.

By implementing these measures, individuals and organizations can significantly reduce the risk of broken user authentication vulnerabilities and protect against the negative consequences of successful attacks. We will share some ways to test for broken user authentication in our upcoming blogs. Stay tuned!