Frontier Communications password reset bug could allow hackers to bypass 2FA, take over accounts

Frontier Communications password reset bug could allow hackers to bypass 2FA, take over accounts

A bug in cable and internet giant Frontier Communications’ password reset system temporarily allowed an attacker to potentially hijack an account using just a username or password. The flaw could have allowed an attacker to bypass two-factor authentication access code sent when a user initiates a password reset.

The flaw was discovered by security researcher Ryan Stevenson who demonstrated the password reset vulnerability in a video, ZDNet reports.

Stevenson found that the access code field was not limited with the system allowing you to enter as many codes as they wished. For a determined attacker, they could enter hundreds of six-digit access code iterations until they hit the right one.

Using a test account he created and Burp Suite, a popular network intercept tool, Stevenson was able to reproduce the access code by automating the sending of hundreds of six-digit access codes one after the other to the browser, allowing him to filter out a correct code which returned a bigger server response than the incorrect ones. The correct code could then be used to reset the account password.

The password reset feature is protected by a CAPTCHA form which restricts an attacker’s ability and only allows them to carry out targeted attacks. However, a faster internet connection could make it easier for the attacker to crack the code since Stevenson’s demonstration could only generate around 100 codes in 10 seconds, taking him over a day to generate the right access code.

The password reset feature from the website was blocked temporarily by the cable and internet giant after the bug was reported, a Frontier spokesperson told ZDNet. "Out of an abundance of caution while the matter is being investigated, Frontier has shut down the functionality of changing a customer's password via the web," a company spokesperson said.

It is currently unknown how long the vulnerability was live on the website and if it was exploited by any attackers thus far.