Newsletter #13: I Hacked My Own Fake Account
Boy, do I have a story to share with you this week.
So, I was exploring different platforms for creating and distributing online content. Interestingly enough, on one platform, when I went to go reserve “cloudsecuritylabs,” it said that it was taken. Well, I found that interesting, but not surprising. When I went to the link, I saw my logo and everything. I chalked it up to one of those late nights signing up to services, and I just forgot it.
On second look though, I noticed links to social media platforms I HAD NOT CREATED.
Ok, maybe my intern created them, or, again, one of those late nights. Nope. It seems that someone had created social media links (including a YouTube channel) with my logo and tagline. I found this very strange, but we live in a strange world. This is not something new, and I have clients that have this same problem.
I guess I have a copycat? 🙂
Now, here’s where it’s interesting!
I wanted to dispute/claim the username, so I emailed the provider where I initially found this asking to gain access to this account. I thought it would be a lot of back and forth proving my domain.
They emailed me the email address and reset the account password to “password!”
I almost fell out of my chair!
They were nice enough to give me the full email address the account was registered under AND reset the password. THAT is customer support! LOL
I still haven’t and probably won’t figure out who exactly did this. But here are some takeaways:
- Make sure your customer support teams are trained properly on password reset flow.
- They should never give away the email or username of an account without verification
- Passwords should be reset to the email on file (although that wouldn’t have helped me here, lol)
- If a user lost access to their email/username, have them authenticate using some other information or escalate it to level 2 support
- Do not give CSR’s the ability to change passwords for customers. Instead, use a one-time self-expiring password reset link sent via email.
- If you can access the passwords of users, then they’re not being encrypted. I had the bank send me my password once!
- Account Spoofs are real. Companies will try to impersonate your brand. Be sure to protect everything from your domain registration to your google search results.
- Ensure you have a security@ and abuse@ email address on file for your company as per RFC 2142, so security researchers can contact you.
Ok, I know this was a little long, but I hope you enjoyed it as much as I did.
PS. I’m in the process of contacting their security team. Curious to see what they have to say.
This article was previously posted in the Newsletter.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.