[BreachExchange] OpenBullet Exploited for Credential Stuffing

[Destry Winant]

https://www.ehackingnews.com/2021/05/openbullet-exploited-for-credential.html

Credential stuffing, a form of access-related cybercrime, is on the rise
and shows no signs of slowing down. Between January 2018 and December 2019,
there were 88 billion credential stuffing attacks, according to an Akamai
survey.

Credential stuffing is a form of cyberattack in which compromised account
credentials are used to obtain unauthorized access to user accounts through
large-scale automatic login requests directed towards a web application,
usually consisting of lists of usernames and/or email addresses and the
corresponding passwords (often from a data breach). Credential stuffing
attacks, unlike credential hacking, do not try to brute force or guess any
passwords. Using standard web automation software like Selenium, cURL,
PhantomJS, or tools built especially for these types of attacks like Sentry
MBA, SNIPR, STORM, Blackbullet, and Openbullet, the intruder easily
automates the logins for a significant number (thousands to millions) of
previously discovered credential pairs.

Since many users repeat the same username/password combination across
different pages, credential stuffing attacks are likely. According to one
poll, 81 percent of users have reused a password across two or more sites,
and 25% of users use the same password across a number of their accounts.

OpenBullet is a free web-testing tool that allows users to make particular
requests on specific web pages. The open-source tool is available on GitHub
and can be used for a variety of activities, including data scraping and
sorting, automatic penetration testing, and Selenium unit testing.

For legitimate reasons, such as penetration testing, the app allows users
to try several "login:password" variations as credential brute-force
attacks on various websites. Cybercriminals, on the other hand, will use it
to find legitimate passwords on various websites for nefarious purposes.

A user can import prebuilt configuration files or configs into OpenBullet,
one for each website to be checked. It also has a modular editor for making
changes to configurations as desired. This is a required function since
websites also make minor changes to the way users link to them in order to
combat automatic tools like OpenBullet. OpenBullet's GitHub profile, for
example, has a note that the tool should not be used for credential
stuffing on websites that the user does not own.

The Federal Trade Commission (FTC) released an advisory in 2017 advising
businesses about how to combat credential stuffing, including requiring
safe passwords and preventing attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210505/6bc23176/attachment.html>