Credential stuffing

Last updated

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords (often from a data breach), and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. [1] Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number (thousands to millions) of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet. [2] [3]

Contents

Credential stuffing attacks are possible because many users reuse the same username/password combination across multiple sites, with one survey reporting that 81% of users have reused a password across two or more sites and 25% of users use the same passwords across a majority of their accounts. [4] In 2017, the FTC issued an advisory suggesting specific actions companies needed to take against credential stuffing, such as insisting on secure passwords and guarding against attacks. [5] According to former Google click fraud czar Shuman Ghosemajumder, credential stuffing attacks have up to a 2% login success rate, meaning that one million stolen credentials can take over 20,000 accounts. [6] Wired Magazine described the best way to protect against credential stuffing is to use unique passwords on accounts, such as those generated automatically by a password manager, enable two-factor authentication, and to have companies detect and stop credential stuffing attacks. [7]

Credential spills

A credential spill, alternatively referred to as a data breach or leak, arises when unauthorized individuals or groups illicitly obtain access to sensitive user credentials that organizations store. Such credentials frequently comprise usernames, email addresses, and passwords. The repercussions of credential spills can be significant, as they commonly subject users to a range of hazards, including identity theft, financial fraud, and unauthorized account infiltration. [8]

Credential stuffing attacks are considered among the top threats for web and mobile applications as a result of the volume of credential spills. More than three billion credentials were spilled through online data breaches in 2016 alone. [9]

Origin

The term was coined by Sumit Agarwal, co-founder of Shape Security, who was serving as Deputy Assistant Secretary of Defense at the Pentagon at the time. [10]

Incidents

On 20 August 2018, U.K. health and beauty retailer Superdrug was targeted with an attempted blackmail, with hackers showing purported evidence that they had penetrated the company's site and downloaded 20,000 users' records. The evidence was most likely obtained from hacks and spillages and then used as the source for credential stuffing attacks to glean information to create the bogus evidence. [11] [12]

In October and November 2016, attackers gained access to a private GitHub repository used by Uber (Uber BV and Uber UK) developers, using employees' usernames and passwords that had been compromised in previous breaches. The hackers claimed to have hijacked 12 employees' user accounts using the credential-stuffing method, as email addresses and passwords had been reused on other platforms. Multi-factor authentication, though available, was not activated for the affected accounts. The hackers located credentials for the company's AWS datastore in the repository files, which they used to obtain access to the records of 32 million non-US users and 3.7 million non-US drivers, as well as other data contained in over 100 S3 buckets. The attackers alerted Uber, demanding payment of $100,000 to agree to delete the data. The company paid through a bug bounty program but did not disclose the incident to affected parties for more than a year. After the breach came to light, the company was fined £385,000 (reduced to £308,000) by the U.K. Information Commissioner's Office. [13]

In 2019 Cybersecurity research firm Knight Lion Security claimed in a report that credential stuffing was favored attack method for GnosticPlayers. [14]

Compromised credential checking

Compromised credential checking is a technique enabling users to be notified when passwords are breached by websites, web browsers or password extensions.

In February 2018, British computer scientist Junade Ali created a communication protocol (using k-anonymity and cryptographic hashing) to anonymously verify whether a password was leaked without fully disclosing the searched password. [15] [16] This protocol was implemented as a public API and is now consumed by multiple websites and services, including password managers [17] [18] and browser extensions. [19] [20] This approach was later replicated by Google's Password Checkup feature. [21] [22] [23] Ali worked with academics at Cornell University to develop new versions of the protocol known as Frequency Smoothing Bucketization (FSB) and Identifier-Based Bucketization (IDB). [24] In March 2020, cryptographic padding was added to the protocol. [25]

Compromised credential checking implementations

ProtocolDevelopersMade PublicReferences
k-Anonymity Junade Ali (Cloudflare), Troy Hunt (Have I Been Pwned?)21 February 2018 [26] [27]
Frequency Smoothing Bucketization & Identifier Based Bucketization Cornell University (Lucy Li, Bijeeta Pal, Rahul Chatterjee, Thomas Ristenpart), Cloudflare (Junade Ali, Nick Sullivan)May 2019 [28]
Google Password Checkup (GPC) Google, Stanford University August 2019 [29] [30]
Active Credential Stuffing Detection University of North Carolina at Chapel Hill (Ke Coby Wang, Michael K. Reiter)December 2019 [31]

See also

Related Research Articles

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Platform, Standard Edition 1.3 and was integrated in version 1.4.

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials>, where <credentials> is the Base64 encoding of ID and password joined by a single colon :.

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

A password manager is a computer program that allows users to store and manage their passwords for local applications or online services such as web applications, online shops or social media. A web browser generally has a built in version of a password manager. These have been criticised frequently as many have stored the passwords in plaintext, allowing hacking attempts.

<span class="mw-page-title-main">Login</span> Process by which an individual gains access to a computer system

In computer security, logging in is the process by which an individual gains access to a computer system or program by identifying and authenticating themselves.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">Partial password</span>

A partial password is a mode of password authentication intended to make keystroke logging and shoulder surfing less effective.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

<span class="mw-page-title-main">Troy Hunt</span> Australian web security expert

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

NordVPN is a Lithuanian VPN service provided by Nordsec Ltd with applications for Microsoft Windows, macOS, Linux, Android, iOS, Android TV, and tvOS. Manual setup is available for wireless routers, NAS devices, and other platforms.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials are sometimes referred to as passkeys.

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).

<span class="mw-page-title-main">Bitwarden</span> Open-source password manager


Bitwarden is a freemium open-source password management service that stores sensitive information, such as website credentials, in an encrypted vault. The platform offers a variety of client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host.

Collection #1 is the name of a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.

A multi-factor authentication fatigue attack is a computer security attack against multi-factor authentication that makes use of social engineering. When MFA applications are configured to send push notifications to end users, an attacker can send a flood of login attempts in the hope that a user will click on accept at least once.

References

  1. "Credential Stuffing". OWASP.
  2. "Credential Spill Report" (PDF). Shape Security. January 2017. p. 23. The most popular credential stuffing tool, Sentry MBA, uses 'config' files for target websites that contain all the login sequence logic needed to automate login attempts
  3. "Use of credential Stuffing Tools". NCSC.
  4. "Wake-Up Call on Users' Poor Password Habits" (PDF). SecureAuth. July 2017. Archived from the original (PDF) on 2018-08-12. Retrieved 2018-07-11.
  5. "Stick with Security: Require secure passwords and authentication". Federal Trade Commission. 2017-08-11. Retrieved 2021-04-11.
  6. Ghosemajumder, Shuman (2017-12-04). "You Can't Secure 100% of Your Data 100% of the Time". Harvard Business Review. ISSN   0017-8012 . Retrieved 2021-04-11.
  7. "What Is Credential Stuffing?". Wired. ISSN   1059-1028 . Retrieved 2021-04-11.
  8. Shanker, Ed (March 8, 2022). "Credential Stuffing" . Retrieved May 19, 2023.
  9. Chickowski, Ericka (January 17, 2017). "Credential-Stuffing Attacks Take Enterprise Systems By Storm". DarkReading. Retrieved February 19, 2017.
  10. Townsend, Kevin (January 17, 2017). "Credential Stuffing: a Successful and Growing Attack Methodology". Security Week. Retrieved February 19, 2017.
  11. "Super-mugs: Hackers claim to have snatched 20k customer records from Brit biz Superdrug". The Register .
  12. "Superdrug Rebuffs Super Ransom After Supposed Super Heist – Finance Crypto Community". 23 August 2018.
  13. "Monetary Penalty Notice (Uber)" (PDF). Information Commissioner's Office. 27 November 2018.
  14. "GnosticPlayers Part 1: An Overview of Hackers Nclay, DDB, and NSFW". Night Lion Security. 2019-12-30. Retrieved 2022-03-06.
  15. "Find out if your password has been pwned—without sending it to a server". Ars Technica. Retrieved 2018-05-24.
  16. "1Password bolts on a 'pwned password' check – TechCrunch". techcrunch.com. 23 February 2018. Retrieved 2018-05-24.
  17. "1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online" . Retrieved 2018-05-24.
  18. Conger, Kate. "1Password Helps You Find Out if Your Password Is Pwned". Gizmodo. Retrieved 2018-05-24.
  19. Condon, Stephanie. "Okta offers free multi-factor authentication with new product, One App". ZDNet. Retrieved 2018-05-24.
  20. Coren, Michael J. "The world's biggest database of hacked passwords is now a Chrome extension that checks yours automatically". Quartz. Retrieved 2018-05-24.
  21. Wagenseil I, Paul (5 February 2019). "Google's New Chrome Extension Finds Your Hacked Passwords". www.laptopmag.com.
  22. "Google Launches Password Checkup Extension to Alert Users of Data Breaches". BleepingComputer.
  23. Dsouza, Melisha (6 February 2019). "Google's new Chrome extension 'Password CheckUp' checks if your username or password has been exposed to a third party breach". Packt Hub.
  24. Li, Lucy; Pal, Bijeeta; Ali, Junade; Sullivan, Nick; Chatterjee, Rahul; Ristenpart, Thomas (2019-11-06). "Protocols for Checking Compromised Credentials". Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: ACM. pp. 1387–1403. arXiv: 1905.13737 . Bibcode:2019arXiv190513737L. doi:10.1145/3319535.3354229. ISBN   978-1-4503-6747-9. S2CID   173188856.
  25. Ali, Junade (4 March 2020). "Pwned Passwords Padding (ft. Lava Lamps and Workers)". The Cloudflare Blog. Retrieved 12 May 2020.
  26. Ali, Junade (21 February 2018). "Validating Leaked Passwords with k-Anonymity". The Cloudflare Blog. Retrieved 12 May 2020.
  27. Ali, Junade (5 October 2017). "Mechanism for the prevention of password reuse through Anonymized Hashes". PeerJ Preprints. doi: 10.7287/peerj.preprints.3322v1 . Retrieved 12 May 2020.{{cite journal}}: Cite journal requires |journal= (help)
  28. Li, Lucy; Pal, Bijeeta; Ali, Junade; Sullivan, Nick; Chatterjee, Rahul; Ristenpart, Thomas (4 September 2019). "Protocols for Checking Compromised Credentials". arXiv: 1905.13737 [cs.CR].
  29. Thomas, Kurt; Pullman, Jennifer; Yeo, Kevin; Raghunathan, Ananth; Kelley, Patrick Gage; Invernizzi, Luca; Benko, Borbala; Pietraszek, Tadek; Patel, Sarvar; Boneh, Dan; Bursztein, Elie (2019). Protecting accounts from credential stuffing with password breach alerting. pp. 1556–1571. ISBN   9781939133069.
  30. Cimpanu, Catalin. "Google launches Password Checkup feature, will add it to Chrome later this year". ZDNet. Retrieved 12 May 2020.
  31. Wang, Ke Coby; Reiter, Michael K. (2020). Detecting Stuffing of a User's Credentials at Her Own Accounts. pp. 2201–2218. arXiv: 1912.11118 . ISBN   9781939133175.