The “account locking” feature enables denial of service attacks against users. These attacks are mounted by trying to login several times to a user’s account with invalid passwords, thus causing this account to be blocked. Yahoo!, for example, report that users who compete in auctions use these methods to block the accounts of other users who compete in the same auctions. This attack should be especially worrisome to mission critical applications, for example to enterprises whose employees and customers use the web to login to their accounts.
One could even imagine a distributed denial of service attack against servers that implement the “account locking” feature. Similar to other distributed denial of service attacks (DDoS), the attacker could plant hidden agents around the web. All the agents could start operating at a specific time, trying to login into accounts in a specific server using random passwords (or using a dictionary attack). This attack could block virtually a large proportion of the accounts of the attacked server.
One could even imagine a distributed denial of service attack against servers that implement the “account locking” feature. Similar to other distributed denial of service attacks (DDoS), the attacker could plant hidden agents around the web. All the agents could start operating at a specific time, trying to login into accounts in a specific server using random passwords (or using a dictionary attack). This attack could block virtually a large proportion of the accounts of the attacked server.
RSS Feed