Personal Information Leakage During Password Recovery of Internet Services

TL;DR

This paper investigates how the password recovery processes of major internet services can inadvertently leak personal user information, potentially enabling attackers to gather sensitive data.

Contribution

It reveals vulnerabilities in common password recovery mechanisms that can lead to personal information leakage, highlighting privacy risks.

Findings

Password recovery processes can reveal email addresses and phone numbers.

Attackers can infer additional user details from leaked information.

Different scenarios show varying levels of information exposure.

Abstract

In this paper we examine the standard password recovery process of large Internet services such as Gmail, Facebook, and Twitter. Although most of these services try to maintain user privacy, with regard to registration information and other personal information provided by the user, we demonstrate that personal information can still be obtained by unauthorized individuals or attackers. This information includes the full (or partial) email address, phone number, friends list, address, etc. We examine different scenarios and demonstrate how the details revealed in the password recovery process can be used to deduct more focused information about users.