Context: Rsnake posts about hijacking deleted accounts.
The exploit described by Rsnake depends on two bad practices:
- New members are not guaranteed new (as in never-before-used) accounts
- Sensitive information is not deleted when an account is deleted
The idea is that if both of those conditions hold, then an attacker might be able to create new membership requests that end up linked to already existing accounts. The attacker can then use his "new" account to access stored sensitive information.
The particular scenario Rsnake outlines involves using cross-site request forgeries to delete an account and then hijack it, but the fundamental issues are as described above. There are a few good points to discuss about this issue.
First, it is obvious that an application should guarantee that new members get brand new, never-before-used accounts. Rsnake points out that poor database programming could let an attacker assert a username of a deleted user and thereby assume that deleted user's identity. He's right, and QA and security folks should test for such bad programming.
There's a related issues about email addresses that I want to talk about, but I'll do so in another post.
Now, let's take a look at the second condition: failure to delete sensitive information about the user when the user deletes the account. In a nutshell, be very careful about doing this. Have an attorney take a look at what you are keeping and what the risks are. Especially if you are handling data from Europeans--they take privacy a lot more seriously.
Keep in mind that the hardware costs of storing data may be cheap, but the cost in terms of risk can easily outweigh the benefits. If that information is ever compromised, you will likely face a significant PR problem as well as possible lawsuits and regulatory investigations. Make sure that the business value of holding sensitive data regarding people who are no longer your customers is greater than the damage your company will likely face if that data is compromised. Otherwise, get rid of the data!
Similarly, you might want to make sure that your customers explicitly agree to having their sensitive data held for an indefinite period of time after they terminate their business relationship with you. Consult your attorney, but that at least might help you when the lawsuits come.
Okay, so that covers the two conditions necessary for this attack and what you can do to protect yourself. Ensure that all new members get brand new accounts, and weigh carefully the risks of storing information about folks who are no longer your customers.
Comments