This Week’s Recap

Every Sunday I post a quick recap of what I’ve worked on the previous week in my freetime. There are a few reason I wanted to do this.

  1. Not everything deserves the time and attention of a full blog, but is still interesting.
  2. When I first started out in security I didn’t know what projects to work on. This roundup was started with the intent to show people what projects you can work on to get experience in security without first having a job in security.
  3. Document my wins but also my failures.
  4. Its fun to talk about random projects you’re working on :)

2/7/2022

Backstory

This week I spent entirely too long trying to get access to all my old Runescape accounts. This was one of those times where being a massive dweeb technically savvy had a very practical use. Let me set the stage. One of the first games I ever got into was Runescape. Over the years, I had created many accounts for various reasons but the main account, the account I made nearly 15 years ago on February 15th, 2007, I had not been able to log into for years. Around 2010ish Runescape transitioned from using usernames to using emails for authentication. This meant that if my username was grahamhelton (which it is not), I would have to add an email to that account for example graham@gmail.com . No big deal, right? Well, many years later, I created a new Runescape account with that email address graham@gmail.com. Now two accounts are associated with this email. grahamhelton and graham@gmail.com I’m not sure if this is a bug or a feature.

When sending a password reset request for the account associated with graham@grahamhelton.com, I would only get access to that older account, not my original one. To make things more tedious, you would get locked out of requesting password resets after you send two or three (more on this in a moment…). To further make matters even more confusing, I had 4 accounts in total that were created at various points under various emails addresses. After some mindmapping I was finally able to piece together how to request my password for my oldest (15 year old account).

What does this have to do with security?

A few things to note:

  1. Password reset lockouts based on IP are not an effective way to keep people from issuing many password resets.
    • Password resets should be based on accounts, not IP. I should not have been able to request a password reset to the same account from 10 different IPs all within an hour of each other. This was trivial with a VPN.
  2. Mindmapping is such a great tool for scoping out a web application and discovering how things are working behind the scenes.
  3. Don’t assume your user knows how things work on the back end.
    • Perhaps this is common knowledge to those who never stopped playing Runescape, but for someone just trying to log into their account for the first time in 10 years, it is very confusing to have two accounts associated with one email. To trigger the password reset on one, you give it your email, to trigger the password reset on the other you give it a username. (To make matters more convoluted, my username is not my in game name.)
    • A fun rabbit hole for me but probably one most people won’t purposely jump down.

2/8/2022

2/9/2022

2/10/2022

2/11/2022

2/12/2022

2/13/2022

Have any questions

Do you have any questions? Feel free to reach out to me on twitter. See you next Sunday. :)