Web Application Security Consortium - Web hacking Incidents Database (WHID)

Date: 20 March 2006
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Weak Password Recovery Validation

A UK Security Consulting firm reports that 54 UK sites that it has surveyed have flaws in the "forgotten password" feature.

References:

Forgotten password clues create hacker risk [The Register]

WHID 2005-32: Weak password recovery on Citrix's site

Date: 03 August 2005
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Weak Password Recovery Validation

Weak password recovery procedure at Citrix

References:

Example of the worst passwd recovery interface [WebAppSec mailing list]

WHID 2005-5: Paris Hilton's T-Mobile online account hacked

Date: 22 February 2005
Incident Type: Security Breach
WASC Threat Classification: Insufficient Authentication, OS Commanding, Weak Password Recovery Validation

Details remain sketchy, but news reports include social engineering, a guessable secret question for password recovery, and a known vulnerability is BEA WebLogic

References:

Paris Hilton Hack Started With Old-Fashioned Con [Washington Post]

Paris Hilton: Victim of T-Mobile's Web Flaws? [PCWorld]

Known Hole Aided T-Mobile Breach [Wired.com]

How Paris Got Hacked? [O'Reilly Network]

WHID 2003-3: User passwords could be stolid in Microsoft's Passport service

Date: 08 May 2003
Incident Type: Vulnerability Disclosure
WASC Threat Classification: Weak Password Recovery Validation

References:

Microsoft faces huge fine over security [Zdnet]

Microsoft Patches .NET Passport Hole [AnyNetwork]

This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.