Broken User Authentication

What is broken user authentication?

Poor implementation of API authentication allows attackers to predict other user’s identities. In more general terms, broken user authentication occurs when an API having an authentication system but does not in working, or that the implemented authentication system fails in some cases, allowing attackers to project himself as an authenticated user.

The weaknesses present in the system, mentioned above, will be divided into two different groups, namely poor credential management and poor session management.

A. Poor credential management

Victim credentials can be collected to gain access to the system. There are various ways that the attacker can steal sensitive information, such as the following −

  • Weak passwords − If the victim creates a weak password like '12345' or 'pass123'. The attacker can use different types of password cracking techniques like rainbow tables and dictionaries are used to brute force and to gain access to the system.

  • Weak cryptography − Using weak decryption/encryption algorithms like base64 and weak encryption algorithms like SHA1 and MD5 make credentials vulnerable. That’s why they must be stored using strong hashing algorithms that make password cracking challenging.

B. Poor session management

The application allocates a session ID to you, whenever your login and it will store all your interactions. It is through this session ID that the application make interaction with you and give responds to all your requests. If an attacker steals your session ID, then they can sign-in by impersonating your identity. This is known as session hijacking.

Below are the list of scenarios that can cause broken authentication.

  • Weak usernames and passwords.

  • Session fixation attacks.

  • URL redirecting.

  • User identity details aren't protected when stored with hashing algorithms.

  • User identity details are transferred over unencrypted connections.

Broken Authentication Examples

Example #1 − Credential Stuffing

Suppose you run a online groceries store to sell groceries. To grow your business, you implemented a CRM system that collects and stores critical customer data, such as name, phone number, username, and password.

Hackers make their way to exploit CRM system to steal all the data. Then they used the same credentials (usernames and passwords) to login into the customers central bank's database.

In this case, hackers are trying to successfully login to the central bank's database by hoping that a consumer must be using the same credentials at both places. Such kinds of broken user authentication attacks are called as credential stuffing.

Example #2 − Application session timeouts aren't set properly.

Suppose you go to a cyber cafe and login your Gmail account from there computer. After sending the mail, you just close the browser tab and return home.

After sometime, the hacker opens your Gmail account and gains access to your sensitive information. It happens because your credentials (username and password) haven't been invalidated adequately while closing browser as the session ended.

Thus, if the application session timeouts aren't implemented properly, hackers can perform a broken authentication attack.

Technical Impact

Authentication is the main function of many APIs, and these issues can directly affect everyone from developers accidentally committing API keys, allowing for pay-per-use APIs to be manipulated, or mechanisms like OAuth being misconfigured allowing an attacker to take on the identity of another user.