According to recent study, malicious actors may get illegal access to users’ online accounts via a new approach known as “account pre-hijacking.”
The assault targets the account creation process, which is common on websites and other online platforms, allowing an adversary to carry out a series of operations before an unwary victim establishes an account with a target service.
Avinash Sudhodanan, an independent security researcher, led the investigation alongside Andrew Paverd of the Microsoft Security Response Center (MSRC).
Pre-hijacking relies on an attacker already having a unique identifier linked with a victim, such as an email address or phone number, which may be gained through the target’s social media accounts or from publicly available credential dumps.
The assaults may then take five various forms, including both the adversary and the victim using the same email address when creating the account, possibly providing both sides concurrent access to the account.
“If an attacker can establish an account at a target service using the victim’s email address before the victim opens an account, the attacker may use different approaches to place the account in a pre-hijacked state,” the researchers said.
- The Traditional-Federated Merge Attack allows the victim and the attacker to access the same account by merging two accounts established using classic and federated identity routes with the same email address.
- Unused Session Identifier Attack, in which the attacker establishes an account using the victim’s email address and keeps it active for a long time. Because the password reset did not end the attacker’s session, when the user restores the account using the same email address, the attacker retains access.
- An attacker establishes an account using the victim’s email address and then adds a trojan identifier, such as a secondary email address or a phone number under their control, to the account. When the genuine user regains access to the account after a password reset, the attacker may utilize the trojan identification to acquire access.
- Unexpired Email Change Attack: An attacker opens an account using the victim’s email address and then changes the email address to one they control. When the service provides the new email address a verification URL, the attacker waits for the victim to recover and start using the account before completing the change-of-email procedure and seizing control of the account.
- Non-Verifying Identity Provider (IdP) Attack, in which the attacker uses a non-verifying IdP to establish an account with the target service. Whether the victim uses the traditional registration process or uses the same email address, the attacker is able to obtain access to the account.
In an Alexa examination of 75 of the most popular websites, 56 pre-hijacking vulnerabilities on 35 services were discovered. There are 13 Classic-Federated Merge attacks, 19 Unexpired Session Identifier attacks, 12 Trojan Identifier attacks, 11 Unexpired Email Change attacks, and one Non-Verifying IdP attack.
- Dropbox – Unexpired Email Change Attack
- Instagram – Trojan Identifier Attack
- LinkedIn – Unexpired Session and Trojan Identifier Attacks
- WordPress.com – Unexpired Session and Unexpired Email Change Attacks, and
- Zoom – Classic-Federated Merge and Non-verifying IdP Attacks
“The inability to verify ownership of the claimed identity is the fundamental cause of all assaults,” the researchers concluded.
“Although many services do this sort of verification, they often do it in an asynchronous manner, enabling the user to access some account functions before the identification is validated. While this may increase usability (by reducing user friction while signal up), it also exposes the user to pre-hijacking attempts.”
While stringent identification verification in services is critical for preventing pre-hijacking attempts, users should employ multi-factor authentication to protect their accounts (MFA).
“Correctly designed MFA will prohibit the attacker from authenticating to a pre-hacked account once the victim begins using it,” the researchers said. “To avoid the Unexpired Session attack, the service must additionally invalidate any sessions formed previous to the activation of MFA.”
In addition, for a defense-in-depth approach to account management, online services should remove unverified accounts on a regular basis, impose a short timeframe to authenticate a change of email address, and invalidate sessions during password resets.
“When a service combines a conventional route account with a federated route account (or vice versa), the service must confirm that the user presently manages both accounts,” Sudhodanan and Paverd said.