Hacker News new | ask | show | jobs
by joergsauer 4000 days ago
Interesting article, but more details on how the attack succeeded would have been worth reading. Was it a problem with password reset in the Harvard email system, i.e. was publicly available information used to answer a verification question in combination with an arbitrary email address? Or was it a social engineering attack, i.e. did the attacker convince somebody at Harvard to initiate a password reset using this information?
1 comments
jakejake 4000 days ago
From the article "Itz very simple sir… Im hacked your account in 2 min… Im learned ur boi (bio) from internet… and create gmail account like yours then I fill the submit form with my email and Harvard send mail the Password change link.. That it…"
link
nchelluri 4000 days ago
So I don't quite understand that... Trying to piece it together.

Perhaps the Harvard email system will allow you to send a Reset Password link to an arbitrary (?) email address if you correctly identify some "identity verification" questions, and this guy was able to glean the answers to those questions from reading the article author's bio?

link
jakejake 4000 days ago
Didn't sound like it was too awfully difficult but yea, pretty thin on the details. Here's Harvards password reset instructions... http://huit.harvard.edu/reset-your-harvard-password
link
TwoBit 4000 days ago
So Facebook had his Harvard email as the password reset email?
link
joergsauer 4000 days ago
That is what I got from On the day it happened, I figured out he got in by taking over my Harvard alumni email and then requesting that a new password from Facebook be sent there.

Gaining control of email accounts is how other accounts are typically captured when multi-factor auth is not enabled, of course. The question is how exactly the attacker got into Thurston's email account at Harvard. The reset instructions read like answering a verification question is all that is needed to change the password without knowing the original password. That would mean two lessons:

1. Harvard should add at least one additional step to this procedure, such as requiring confirmation through a secondary email address.

2. Nobody should ever use publicly available information as answers for password reset "security" questions.

(Both not exactly surprising insights here, of course...)

What still doesn't add up is the part about the attacker "creating gmail account like yours".

link