Threat actors could gain access to users’ online accounts by leveraging a new type of technique that involves pre-hijacking an account before it’s actually registered by the victim.
“Account pre-hijacking” is a new class of attacks that can be used to gain access to a targeted account, and many online services could be vulnerable.
Account pre-hijacking was analyzed by independent researcher Avinash Sudhodanan and Andrew Paverd of the Microsoft Security Response Center. Microsoft funded the project through a grant that offered up to $75,000 for proposals on improving the security of its identity solutions.
Compromised accounts are involved in many attacks, but the targeted accounts are taken over by the attacker after they are created. In pre-hijacking attacks, the attacker predicts which online service will be used by the targeted individual and conducts certain activities before the victim creates an account.
These attacks can involve federated identity and single sign-on (SSO) services, which allow users to sign up for certain online services using existing accounts registered with companies such as Microsoft, Google and Facebook.
In a research paper published last week, Sudhodanan and Paverd described five types of pre-hijacking attack methods. In one type of attack, the hacker creates an account using the victim’s email address, and the victim later signs up for the same website using a federated identity service. If the website is not capable of merging the two accounts securely, both the attacker and the victim could have access to the account.
This could also work if the attacker registers an account using a federated identity while the victim creates an account on the same website using the classic registration process.
Another method involves unexpired session identifiers. The attacker creates an account with the victim’s email address and maintains a long-running active session. The legitimate user can reset the password in order to gain access to the account, but the attacker could still maintain access if their session has not been invalidated following the password reset.
An attacker could also create an account and add a so-called “trojan identifier” that would later give them access to an account. This can be a secondary email address or phone number where password reset or one-time authentication links are sent.
Another interesting technique starts with the attacker initiating the process of changing an account’s email address to an address they control. This process typically involves a verification URL being sent to the new address. However, the attacker only completes the verification process at a later date, enabling them to regain access to an account after it has been used by the victim for a certain period of time.
The researchers have analyzed 75 popular services and found that at least 35 of them were vulnerable to one or more account pre-hijacking attacks. The list includes popular social media, cloud storage, video conferencing, and blogging services. Affected vendors were notified between March and September 2021, but many online services could still be vulnerable.
While these methods can be used against individual users, the researchers believe they could also be leveraged to target an entire organization. For instance, the attacker could sign up for a service that is gaining popularity using previously leaked accounts. In attacks aimed at an organization, if the attacker knows that they plan on using a particular service in the future, they could create accounts with publicly available email addresses.
“Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account,” the researchers explained. “Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.”
Related: Multi-Factor Authentication Bypass Led to Box Account Takeover
Related: GitLab Patches Critical Account Takeover Vulnerability
Related: Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability