While you might feel more at ease knowing your personal information is protected by two-factor authentication, a bug in Frontier’s password reset system is demonstrating that vulnerabilities can open your info up to exposure even when that extra level of protection is available. The internet giant’s password system sends users a two-factor code when they initiate a reset, but ZDNet reports that the system lets you enter as many codes as you want, opening up users’ accounts to a breach. Spotted by security researcher Ryan Stevenson, the bug means a determined attacker with some time on their hands could get into an account with just a username or an email address.
Stevenson demonstrated the vulnerability on a test account he set up, automating a process that sent code after code to the browser until the right one was selected. That code then let him reset the account password. Based on his demonstration, it would take around a day to try out every possible code with Stevenson’s set up, but he says it could probably happen more quickly with a faster connection.
Frontier told ZDNet that it’s investigating the issue. “Out of an abundance of caution while the matter is being investigated, Frontier has shut down the functionality of changing a customer’s password via the web,” a company spokesperson said.