Israeli scientists described a new method of attack called PRMitM (Password Reset Man-in-the-Middle), which allows to initiate the reset of the password from the user's email when it is registered on another site. PRMitM involves the use of social engineering techniques, since attackers will need to convince a potential victim to register an account on a specially created site.

When a user enters his login or e-mail address in the registration form on the intruders' site, the resource sends this information to the victim's pages in Google services, Yandex or Yahoo! To initialize the password reset process. In case the service requests additional actions, for example, entering CAPTCHA, answering secret questions or entering a verification code sent in an SMS message, the attacker complements the registration form with the corresponding items.

PRMitM is effective only against accounts in email services. As the experts explained, most websites send out links for resetting the password in emails, while e-mail services use other methods, such as the already mentioned CAPTCHA tests, secret answers and verification codes.

The success of the attack mainly depends on the care of users, the researchers note. For example, during the testing of a new method, many users entered all the required information into the registration form without even realizing that someone was trying to hack their account. Moreover, when receiving SMS messages with the verification code, most users did not even bother to read the notice completely, which could prevent the account from being compromised. Some services, such as Twitter or Facebook, indicate in SMS-messages, for what purposes the code is intended (for resetting the password, registering and.

To counteract such attacks in the future, researchers recommend that the services take a number of measures, including sending links for resetting passwords in SMS messages, if they do not practice sending such links in e-mails. Having received such a message when registering on another site, the user will understand that something suspicious is happening, the researchers are sure.