Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Hackers Can ‘Pre-Hijack’ Online Accounts Before They Are Created by Users

Threat actors could gain access to users’ online accounts by leveraging a new type of technique that involves pre-hijacking an account before it’s actually registered by the victim.

“Account pre-hijacking” is a new class of attacks that can be used to gain access to a targeted account, and many online services could be vulnerable.

Threat actors could gain access to users’ online accounts by leveraging a new type of technique that involves pre-hijacking an account before it’s actually registered by the victim.

“Account pre-hijacking” is a new class of attacks that can be used to gain access to a targeted account, and many online services could be vulnerable.

Account pre-hijacking was analyzed by independent researcher Avinash Sudhodanan and Andrew Paverd of the Microsoft Security Response Center. Microsoft funded the project through a grant that offered up to $75,000 for proposals on improving the security of its identity solutions.

Compromised accounts are involved in many attacks, but the targeted accounts are taken over by the attacker after they are created. In pre-hijacking attacks, the attacker predicts which online service will be used by the targeted individual and conducts certain activities before the victim creates an account.

These attacks can involve federated identity and single sign-on (SSO) services, which allow users to sign up for certain online services using existing accounts registered with companies such as Microsoft, Google and Facebook.

In a research paper published last week, Sudhodanan and Paverd described five types of pre-hijacking attack methods. In one type of attack, the hacker creates an account using the victim’s email address, and the victim later signs up for the same website using a federated identity service. If the website is not capable of merging the two accounts securely, both the attacker and the victim could have access to the account.

This could also work if the attacker registers an account using a federated identity while the victim creates an account on the same website using the classic registration process.

Another method involves unexpired session identifiers. The attacker creates an account with the victim’s email address and maintains a long-running active session. The legitimate user can reset the password in order to gain access to the account, but the attacker could still maintain access if their session has not been invalidated following the password reset.

Advertisement. Scroll to continue reading.

An attacker could also create an account and add a so-called “trojan identifier” that would later give them access to an account. This can be a secondary email address or phone number where password reset or one-time authentication links are sent.

Another interesting technique starts with the attacker initiating the process of changing an account’s email address to an address they control. This process typically involves a verification URL being sent to the new address. However, the attacker only completes the verification process at a later date, enabling them to regain access to an account after it has been used by the victim for a certain period of time.

Account pre-hijacking attack

The researchers have analyzed 75 popular services and found that at least 35 of them were vulnerable to one or more account pre-hijacking attacks. The list includes popular social media, cloud storage, video conferencing, and blogging services. Affected vendors were notified between March and September 2021, but many online services could still be vulnerable.

While these methods can be used against individual users, the researchers believe they could also be leveraged to target an entire organization. For instance, the attacker could sign up for a service that is gaining popularity using previously leaked accounts. In attacks aimed at an organization, if the attacker knows that they plan on using a particular service in the future, they could create accounts with publicly available email addresses.

“Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account,” the researchers explained. “Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.”

Related: Multi-Factor Authentication Bypass Led to Box Account Takeover

Related: GitLab Patches Critical Account Takeover Vulnerability

Related: Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.