A bug in how cable and internet giant Frontier reset account passwords allowed anyone to take over user accounts. The vulnerability, found by security researcher Ryan Stevenson, allows a determined attacker to take over an account with just a username or email address. And a few hours worth of determination, an attacker can bypass the access code sent during the password reset process.
Stevenson found that the access code field was not limited, allowing him to enter as many codes as he wanted. By automating the process using a network intercept tool on a test account he created, Stevenson was able to reproduce the access code. After disclosing the bug to Frontier, the cable giant told ZDNet that an investigation is underway.
Read more about how a two-factor code used to reset the password for accounts at Frontier could be easily bypassed, on ZDNet.