Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Hackers Can ‘Pre-Hijack’ Online Accounts Before They Are Created by Users

Threat actors could gain access to users’ online accounts by leveraging a new type of technique that involves pre-hijacking an account before it’s actually registered by the victim.

“Account pre-hijacking” is a new class of attacks that can be used to gain access to a targeted account, and many online services could be vulnerable.

Threat actors could gain access to users’ online accounts by leveraging a new type of technique that involves pre-hijacking an account before it’s actually registered by the victim.

“Account pre-hijacking” is a new class of attacks that can be used to gain access to a targeted account, and many online services could be vulnerable.

Account pre-hijacking was analyzed by independent researcher Avinash Sudhodanan and Andrew Paverd of the Microsoft Security Response Center. Microsoft funded the project through a grant that offered up to $75,000 for proposals on improving the security of its identity solutions.

Compromised accounts are involved in many attacks, but the targeted accounts are taken over by the attacker after they are created. In pre-hijacking attacks, the attacker predicts which online service will be used by the targeted individual and conducts certain activities before the victim creates an account.

These attacks can involve federated identity and single sign-on (SSO) services, which allow users to sign up for certain online services using existing accounts registered with companies such as Microsoft, Google and Facebook.

In a research paper published last week, Sudhodanan and Paverd described five types of pre-hijacking attack methods. In one type of attack, the hacker creates an account using the victim’s email address, and the victim later signs up for the same website using a federated identity service. If the website is not capable of merging the two accounts securely, both the attacker and the victim could have access to the account.

This could also work if the attacker registers an account using a federated identity while the victim creates an account on the same website using the classic registration process.

Another method involves unexpired session identifiers. The attacker creates an account with the victim’s email address and maintains a long-running active session. The legitimate user can reset the password in order to gain access to the account, but the attacker could still maintain access if their session has not been invalidated following the password reset.

An attacker could also create an account and add a so-called “trojan identifier” that would later give them access to an account. This can be a secondary email address or phone number where password reset or one-time authentication links are sent.

Another interesting technique starts with the attacker initiating the process of changing an account’s email address to an address they control. This process typically involves a verification URL being sent to the new address. However, the attacker only completes the verification process at a later date, enabling them to regain access to an account after it has been used by the victim for a certain period of time.

Account pre-hijacking attack

The researchers have analyzed 75 popular services and found that at least 35 of them were vulnerable to one or more account pre-hijacking attacks. The list includes popular social media, cloud storage, video conferencing, and blogging services. Affected vendors were notified between March and September 2021, but many online services could still be vulnerable.

While these methods can be used against individual users, the researchers believe they could also be leveraged to target an entire organization. For instance, the attacker could sign up for a service that is gaining popularity using previously leaked accounts. In attacks aimed at an organization, if the attacker knows that they plan on using a particular service in the future, they could create accounts with publicly available email addresses.

“Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account,” the researchers explained. “Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.”

Related: Multi-Factor Authentication Bypass Led to Box Account Takeover

Related: GitLab Patches Critical Account Takeover Vulnerability

Related: Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.