Lack of standardization of the password reset procedures of web services can help hackers find the phone number linked to a victim’s email address.
Online services have implemented mechanisms to allow users to change the login password in case they lose or want a stronger one. The email address associated with the account is necessary for the procedure.
Where a phone number is available, service providers offer mobile text or voice options to receive a temporary code. This is to verify that the legitimate owner of the account initiated the password reset procedure.
Alternatively, users can initiate the procedure by providing a phone number to get an email address. In both cases, only bits of information are revealed.
A few critical digits
A dutiful attacker can work their way to finding as much as possible of the obfuscated characters and narrow the possibilities to the point where they can be verified manually.
With phone numbers, only a few digits are visible, enough for users with multiple phones to know where to expect the code. Services hide different parts, though, and someone can use a victim’s email to learn more digits from password reset attempts on multiple services.
Offensive security researcher Martin Vigo studied the password reset methods for popular websites and found that they revealed between two and five digits; that would be up to 50% of a U.S. phone number, and more for other countries.
In the case of a U.S. number, data from public sources can help find some of the hidden digits. That’s because it is composed of three blocks that define a wider area (e.g. a large city), an exchange (e.g. a town), and the subscriber.
Vigo found that using resources from the North American Numbering Plan Administrator (NANPA) and the National Pooling Administrator (NPA) alone, an adversary can zero-in on the correct victim number.
Following this method, Vigo managed to reduce to 445 the possible choice for the phone number of a victim in Tacoma, Washington, with an eBay and a LastPass account.
He created a tool called “email2phonenumber” that not only automates this process but also runs a reverse check where a phone number is fed during a password reset procedure to see if it correlates with the known email address.
Amazon and Twitter accept phone numbers to reset the password and show some characters from the email address. By comparing the leaked characters, an attacker can guess if the phone number they tested is the correct one.
email2phonenumber automates this process and attempts to fool the captcha protection by replicating human behavior. To confuse the service provider, it starts the password reset for several phone numbers.
Same masking pattern for all numbers
While abusing the password reset process may be slow at finding U.S. phone numbers, Vigo highlights that other countries have phone numbers with fewer digits, like Iceland, Estonia or San Salvador where there’s only seven.
Since services do not adjust their masking to the length of the phone number, the method should work faster if the victim is registered to a service like PayPal, which reveals the first and four digits during the password reset process.
The researcher’s solution to this is to add support for labels indicating an email address’ and phone number’s purpose (personal, work) and using them as a hint during the password reset procedure.
Vigo informed online services that showed more than two digits of the potential for abuse, especially when they are part of the area and exchange blocks.
PayPal said that everything works as designed and took no action, despite revealing five digits when the target’s email is known.
Vigo presented his research ‘From Email Address to Phone Number‘ in Las Vegas at the BSides security conference (video below) and DEF CON hacker event.