Sendgrid is, no doubt, at fault here. However, isn’t the real security hole the wide-spread practice of sending password reset links over email? Pragmatism and practicalities aside, a determined attacker could just snoop emails without gaining control of the send grid account. Or am I missing something…?
How else would you reset a password when you can’t validate the user?
There are several services for which I would love the option to disable password resets. I promise to never, ever, ever lose my password and in return you promise to never allow some bumpkin to reset it.
well, the increasingly used alternative is to use a phone in some way (and that’s what happened here, although it saved the day via two factor auth rather than as part of the password change).
google keeps pestering me to confirm my cell phone. do they use it to confirm password changes? i guess i should stop ignoring them.
do third party services exist that make incorporating cell phones into password resets practical for smaller sites?
Yes, Google will send you an SMS to confirm password changes with a multi-digit code. (In other words, multi-factor auth).
And yes, there are services out there doing just that. I don’t recall any names, and I’m not going to shill for them. However I will say it’s pretty easy to write your own with a platform such as Twilio.
thanks; i just enabled two factor auth with google. it works well and seems to be nicely thought-out (including emergency backup codes and separate per-application passwords for places where sms won’t work).
[actually, what i was asking, although i wasn’t clear, is whether they use the phone when you change passwords, even if you’ve not enabled it otherwise.]
It seems well thought-out, until you realize that there’s nothing application-specific about “application passwords” and that if one of those is compromised, an attacker avoid all the security provided by 2fa.
i’m not sure what sendgrid is. i understand the original issue, but not how this would then be escalated. now i realise that once you have email “you can find ways to escalate to anything”, but i get the impression there was an obvious weakness here that i am missing just because i don’t know about sendgrid or bitcoins or something, can anyoen explain? thanks!
Sendgrid is a commercial outbound e-mail provider that companies use to send out not-really-spam-but-sometimes-annoying broadcast e-mails. They apparently have a feature that lets all outbound e-mails get BCC’d to a recipient.
By taking over Chunkhost’s Sendgrid account, the attacker could receive copies of all e-mails that Chunkhost sends out. Once that was in place, the attacker just needed to initiate a password reset for a Chunkhost customer, Chunkhost sends the e-mail out through Sendgrid, and the attacker gets a copy of the e-mail. They reset the password, gain access to the Chunkhost customer’s account, and eat all their bitcoins or whatever.