I’ve posted before about my disdain for password recovery systems that use Secret Questions. Secret Questions are just like another password, ugh, but based on your personal information. Not only that they are often easily broken. This post on Flawed Security Lets Sprint Accounts Get Easily Hijacked serves as a perfect example of Weak Password Recovery Validation. In this case all you need to hijack someone’s account was/is their “cellphone number, just a smidge about them, and have half a brain.” Then let the privacy invasion and fraudulent charges game begin! This reminds me of the Paris Hilton cell phone hack.
There’s a funny snippet at the bottom:
“Currently, we are not aware of any instances of fraud occurring through the question and answer scenario that you've described;”
And why would Sprint notice? In the logs it wouldn't look like some kind of whacked out XSS or SQLi attack, it’ll appear just like legit traffic, so no one is really going to notice anyway. If an account got hi-jacked what are the odds it would be chalked up to either the user giving up their password, choosing a weak one, sniffed by some form of malware, or whatever -- anything except the exploitation of a website vulnerability. For an attacker that’s the beauty of business logic flaws, chalk up another example to use in my presentations.