What the Reddit Hack Teaches Us About Web Security
Want to learn more about the recent Reddit hack? Check out this post to learn more about what the recent Reddit hack can teach us about web security!
Join the DZone community and get the full member experience.Join For Free
Although our knowledge about the attack is limited to what Reddit has disclosed, we can still analyze the incident from a web security perspective.
Storing Hashed and Salted Passwords
Protecting passwords by employing salted password hashing is a web security measure that really pays off in the event of a website breach. This tactic makes it more difficult for attackers to retrieve them in a usable form, providing that the passwords are strong enough. In case users use the same passwords for other accounts, this prevents attackers from taking over the accounts on those platforms as well.
Reddit announced that if users are found to be actively using the same hashed passwords as the stolen ones, they will be asked to reset them. Regardless, users are advised to change their passwords as a safety measure if they’ve been using the same one since 2007 (refer to our customer survey on online risky behavior for more information on how end users use passwords, etc).
Two-Factor Authentication and Multi-Factor Authentication (MFA)
Reddit employees were right in enabling 2FA to secure their login process. Two-Factor Authentication is an additional authentication feature that requires the user to provide a proof of knowledge, possession, or inheritance by using one or more of the following:
- Knowledge — something the user knows (password, PIN code)
- Possession — something the user has (telephone, OTP, Token Generator)
- Inherence — something the user is (biometrics, fingerprints)
The interception of SMS text messages, using techniques such as SIM-swapping or abusing weaknesses in the SS7 protocol, has been practiced by criminals for quite a while.
Following this recent incident, Reddit also announced that they will get rid of SMS-based Two-Factor Authentication in favor of token-based 2FA. Users will need to enter a token generated by an authenticator application (usually installed on their phone) in place of the SMS verification code, as part of their secure login process.
An Excellent Example of Proper Logging and Monitoring
Perhaps, the most controversial item on the OWASP Top 10 List for 2017 was the Insufficient Logging and Monitoring category. A similar category is listed in the OWASP Proactive Controls List — Implement Logging and Intrusion Detection. While the implementation of the logging mechanism is listed as a recommended measure in the Proactive Controls list, the improper implementation of this mechanism is listed as a vulnerability in the Top 10 list.
Keeping in mind that the average time between a successful attack and its detection is no less than a whopping 191 days, Reddit did a pretty impressive job by uncovering the attack on June 19 — only about 1-4 days after the attack (June 14-18) took place.
For further information on the attack, see the full Reddit announcement.
Published at DZone with permission of Ziyahan Albeniz, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.