brute-force attack with a list of enumerated or common usernames

Many applications employ a process in which credentials for newly created

accounts are distributed to users out-of-band of their normal interaction with

the application (for example, via post or email). Sometimes, this is done for rea-

sons motivated by security concerns — for example, to provide assurance that

the postal or email address supplied by the user actually belongs to that person.

In some cases, this process can present a security risk. For example, if the

message distributed contains both username and password, there is no time

limit on their use, and there is no requirement for the user to change password

on first login, then it is highly likely that a large number, even a majority, of

application users will not modify their initial credentials and that the distribu-

tion messages will remain in existence for a lengthy period during which they

may be accessed by an unauthorized party.

Sometimes, what is distributed is not the credentials themselves, but rather

an “account activation” URL, which enables users to set their own initial pass-

word. If the series of these URLs sent to successive users manifests any kind of

sequence, then an attacker can identify this by registering multiple users in

close succession, and then infer the activation URLs sent to recent and forth-

coming users.

HACK STEPS

■