A security expert discovered a flaw in the password recovery process on the website of online betting exchanges Betfair. Betfair is one of the world’s largest online betting exchanges, and this vulnerability represents a serious threat to its users.
In September 2014, a disconcerting news related the security of the Betfair website appeared on a forum. The news reported a bug in the password reset procedure that potentially allows users to reset their passwords simply by providing the username/email address and the date of birth of the owner of the account.
An ill-intentioned user just needs to provide a valid username and the associated date of birth, to receive the instruction to reset the password, without answer security questions or being asked to click on a link received via a confirmation email.
“For a site that trades multi millions their security is crap. If someone knows your username and date of birth, they can hijack your account. Before you login in, all you need to do is click lost password/username, then enter your username, then date of birth and it will allow you to reset the password without any other verification…not even an email. You can simply enter the new password and hijack the account. I wanted another out on top of pinnacle and looked into betfair but once finding this out, there is no way i am opening an account. those of you with big money there, becareful.” wrote the users with nickname ‘yukomon’
The presence of the vulnerability in the Betfair website was confirmed a couple of months later by the Yahoo iOS developer Tom Thorpe. Thorpe reported that the flaw in the password reset process only affect Betfair accounts with less than £100.
— Tom Thorpe (@thorpetom) 28 Dicembre 2014
Another disconcerting aspect of the story is that the support staff at Betfair denied the presence of the flaw when was contacted by the VentureBeat reporter Paul Sawers.
The cyber security expert Troy Hunt published video PoC to demonstrate how to change the password for a Betfair account by knowing the username and the date of birth associated to the account.
The problems for Betfair users are not ended here, a second security flaw in the password recovery feature implemented by the company was reported by a user on Reddit. The user discovered a hidden form on the page containing the address to which the password reset email was being sent.
The user verified that it was possible to change the address by simply using the developer tools in the web browser, in this wat the password reset email would be sent to an arbitrary address chosen by the attacker.
In the following video PoC published by the expert James Harland is demonstrated the exploitation of the flaw.
Don’t fear, Betfair following the has addressed both vulnerabilities.
(Security Affairs – Betfair , hacking)