Wednesday, August 15, 2012

The Leaky Web: Owning Your Favorite CEOs

by Cesar Cerrudo @cesarcer

I have been researching new ways to get data about people easily by using different sources; I found something interesting and simple, which I presented to some people at IOAsis in Las Vegas a couple of weeks ago. You can find the slides here.

Most websites use the email address as a user name for authentication, but few websites use specific user names. When registering on a website, if the email address you want to use is already taken by an existing account, the website tells you that. When using the “Forgot password” feature, the website also tells you whether the email address is registered or not most of the time.

This very common situation allows attackers to enumerate which websites a person uses (or at least is registered on) just by knowing that person's email address. Because most people are registered on a dozen or more websites, this provides an opportunity to obtain valuable data and build a very detailed profile about a person. Because we use a lot of different websites they can tell a lot about what commodities and services we use including rental car company, airlines, electronic devices, hotels, online news, social media sites, e-commerce sites, even what GPS watch we use. All this data is incredibly easy to get.

Website enumeration can be done by anyone in seconds with a simple script or a little slower if you prefer to do it manually. No special skills are required;you just need to know the target's email address and then try it on different websites.

After enumerating all the websites on which the target person has an account, the attacker can try to hack the weakest website and get even more data such as the password; if the target reused their password, the attacker then has access to all the other websites, too. Also, if the websites contain XSS vulnerabilities then those can be used to bolster phishing attacks against the target users. An attacker can use the collected data to perform different attacks such as social engineering, phishing, denial of service, and identity theft.

I did an experiment to demonstrate that while this is a simple and not dangerous issue, it can have impact when a certain kind of person is targeted. For example, I got 840 corporate email addresses from C-level executives of Fortune 500 companies and checked those email addresses on 30 websites. I found the following:

·         250 social media website accounts (42 Facebook, 127 Twitter, 17 MySpace, 41 Plaxo, 6 Naymz, 17
·         241 news website accounts (58, 28, 5, 14, 52, 80, 4
·         35 media streaming website accounts (13, 22
·         43 hotel website accounts (29, 14
·         23 airline website accounts
·         38 GPS watch website accounts (,
·         176 Google, 11 Skype, 29, 76, and 8 accounts

As you can see, these are interesting results when you consider that these people are C-level executives and compromising any of them would potentially give attackers the keys to the kingdom; that is, access to important and sensitive company information, resources, et cetera. This is also useful when doing penetration tests and social engineering assessments; just get the target company's email addresses and enumerate the associated websites. Later, send emails that look similar to the previously-identified websites and wait for the fish.
All of this can be done easily and completely automated with a couple of scripts.


Data leakage on websites is a worldwide problem that doesn’t yet have a simple solution because this is how the web currently works. As representatives of the security world, are already asking users to employ different passwords on every website they visit and they either have a hard time doing it or they don’t do it at all. If we then ask them to use a different username for every website, things get even more complicated for the users.
End result—while Internet use increases, privacy decreases and the chance that we'll be attacked also increases.

C-level executives should use their corporate email address for email only. Therefore, companies should implement special security programs and policies to protect executives.

No comments:

Post a Comment