0

I was reading this answer on a question.

https://security.stackexchange.com/a/498/106817

Recently, at the OWASP AppSec 2010 conference in Orange County, Bill Cheswick from AT&T talked at length about this issue.

....

Allow a trusted party to vouch for the user, so he can change his password.

Granted, I know this is 6 years old at this point, but....

I was curious, is there really any added security to this? By "trusted party" is that assumed to be a friend, or someone else who is already authorized, or is it a site/app admin?

If someone is locked out of their account so much that they cannot use their email, or even the backup email for their main email, then how would their password be reset to begin with? Would it be given by this "Trusted source" to another email, or possibly over the phone/text (if friend).

So is there any way a hacker could hack Account A, which vouches Account B, and then do something malicious to Account B? It says "Trusted-party" so if the party ends up not being trusted, what's the worst that could happen?

I know some games implement "Vouchers" which you gained stuff if you vouch a friend and bring them to the game, but I've never seen a voucher responsible in case their friend is locked out...

Any comments towards this? Thanks.

Community
  • 1
XaolingBao
  • 897
  • 2
  • 9
  • 21

2 Answers2

1

Trusted party is exactly that. Someone who is trusted when he identifies you.

The most basic vouching happens when you go in front of the HelpDesk and tell them that you forgot your password and are now locked out of your account. Then the IT staff vouches that it's you and resets your password.

Now suppose that no domain admin was available when you went there, and you had to go after explaining your problem to their intern. Then the intern would be vouching that the request to change your password indeed came from Lasagna and not by an imposter.

Another common case would be that such requests have to go through a ticketing system. Since you can't open a ticket while locked out, another user (eg. your boss or any employee) opens the request for you, so they are vouching your request.

In fact, it is quite common in physical security that an organiser has to get out for vouching someone that is stopped by security trying to get into the location.

If someone is locked out of their account so much that they cannot use their email, or even the backup email for their main email, then how would their password be reset to begin with? Would it be given by this "Trusted source" to another email, or possibly over the phone/text (if friend).

The trusted might provide a new email. And yes -assuming the request is indeed genuine- he could be given the new temporary password. The password should be marked as requiring a change on next login, anyway.

Ángel
  • 17,578
  • 3
  • 25
  • 60
0

I would say because it allows a massive increase in potential damage if one account gets hacked.

Say I want to get into account A. If account A set up account B, C, and D into vouching for them, I have 3 more potential targets I could try to weasel access from. One of them is bound to have a weak password or is susceptible to social engineering. Now that I have access to account C, I can get access to any accounts that account C was set to "vouch" for as if I was locked out. From those accounts, I can continue onward and onward for all of the accounts that set them as vouch-able.

There are some safeguards that can be put in place, such as requiring a certain number or more of those "vouch-able accounts" to vouch for you that might make this safer.

d0nut
  • 876
  • 7
  • 13
  • That's what I figured. If you rely on someone else, you put yourself at risk, in case they are hacked... Multiplying the vouches will only work if you need them all, or a good number of them, as hacking a fixed number could result in an easier breach than if your account was hacked.... The question is... Where does this vouch reset go? Why can't he change his password himself? – XaolingBao May 23 '16 at 22:28