I Hacked My Own Fake Account
On one platform when I went to go reserve my name "cloudsecuritylabs" it said that it was taken. Well, I found that interesting, but not surprising.
Boy, do I have a story to share with you this week... So I was exploring different platforms for creating and distributing online content. Interestingly enough, on one platform when I went to go reserve my name "cloudsecuritylabs" it said that it was taken. Well, I found that interesting, but not surprising. When I went to the link I saw my logo and everything. I chalked it up to one of those late nights signing up to services and I just forgot it. On second look though, I noticed links to social media platforms I HAD NOT CREATED. Ok, maybe my intern created them, or again, one of those late nights. Nope. It seems that someone had created social media links (including a YouTube channel) with my logo and tagline. I found this very strange, but we live in a strange world. This is not something new and I have clients that have this same problem. I guess I was honored to have a copycat? :) Now here's where it's interesting! I wanted to dispute/claim the username, so I emailed the provider where I initially found this asking to gain access to this account. I thought it would be a lot of back and forth proving my domain. Nope. They simply emailed me the email address and reset the account password to "password"! I almost fell out of my chair!! They were nice enough to give me the full email address the account was registered under AND reset the password. THAT is customer support! LOL I still haven't, and probably won't, figure out who exactly did this. But here are some takeaways:
Make sure your customer support teams are trained properly on password reset flow.
They should never give away the email (username) of an account without verification
Passwords should be reset to the email on file (although that wouldn't have helped me here, lol)
If a user lost access to their email/username, have them authenticate using some other information, or escalate it to level 2 support
Do not give CSR's the ability to change passwords for customers. Instead use one-time self-expiring password reset links sent via email.
If you can access the passwords of users, then they're not being encrypted. I had bank send me my password once!
Account Spoofs are real. Companies will try to impersonate your brand. Be sure to protect everything from your domain registration to your google search results.
Make sure you have a security@ and abuse@ email address on file for your company as per RFC 2142 so security researchers can contact you.
Ok, I know this was a little long, but I hope you enjoyed it as much as I did. Take care,Ayman ps. I'm in the process of contacting their security team. Curious to see what they have to say.
If you liked this email, forward it to a friend! I'd appreciate it.