Mass Drupal Password Resets

If you are the admin of a Drupal 6 or Drupal 7 website you have likely received a password reset email that you did not request. This is caused by a bot (or several bots) hitting the password reset form and triggering the emails.

When a password reset is requested in Drupal a backdoor is created by design into Drupal. That backdoor is the password reset url. The url is publicly available. Thus, if you (or the hackers) can guess the password reset URL you’d gain full control of the site. The difficulty of guessing the url is very high. It is much harder than brute force attack on the actual login url. However, the reset urls are not controlled by flood protection by default. This allows the attacker to try an endless number or urls without being blocked. This is true for at least a 24 hour period until the url expires.

There is another possibility that there is an unknown leak of the reset url. Given the high number of reset requests this is entirely possible.

This issue is being discussed on the Drupal community board here https://www.drupal.org/project/drupal/issues/2939720

Brad Anderson

Brad Anderson is the founder and CEO of Fruition. Brad combined his passion for marketing, technology, innovation and data-based decision making into a successful national digital marketing agency when he created the Denver-based Fruition. Brad brings the unique perspective of an expert marketer, board member, agency owner and entrepreneur to his career and his thought-leadership writing.

Leave a Comment

Your email address will not be published. Required fields are marked *