Skip to main content

Learn How Hackers Can Hijack Your Online Accounts Even Before You Create Them.



Malicious actors can gain unauthorized access to users' online accounts via a new technique called "account pre-hijacking," new research has found.


The attack takes aim at the account creation process that's ubiquitous in websites and other online platforms, enabling an adversary to perform a set of actions before an unsuspecting victim creates an account in a target service.


The study was led by independent security researcher Avinash Sudhodanan in collaboration with Andrew Paverd of the Microsoft Security Response Center (MSRC).


Pre-hijacking banks on the prerequisite that an attacker is already in possession of a unique identifier associated with a victim, such as an email address or phone number, which can be obtained either from the target's social media accounts or credential dumps circulating on the web.

The attacks can then play out in five different ways, including the use of the same email address during account creation by both the adversary and the victim, potentially granting the two parties concurrent access to the account.


"If the attacker can create an account at a target service using the victim's email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state," the researchers said.



account pre-hijacking

"After the victim has recovered access and started using the account, the attacker could regain access and take over the account." The five types of pre-hijacking attacks are below -


Classic-Federated Merge Attack, in which two accounts created using classic and federated identity routes with the same email address allow the victim and the attacker to access to the same account.

Unexpired Session Identifier Attack, in which the attacker creates an account using the victim's email address and maintains a long-running active session. When the user recovers the account using the same email address, the attacker continues to maintain access because the password reset did not terminate the attacker's session.

Trojan Identifier Attack, in which the attacker creates an account using the victim's email address and then adds a trojan identifier, say, a secondary email address or a phone number under their control. Thus when the actual user recovers access following a password reset, the attacker can use the trojan identifier to regain access to the account.

Unexpired Email Change Attack, in which the attacker creates an account using the victim's email address and proceeds to change the email address to one under their control. When the service sends a verification URL to the new email address, the attacker waits for the victim to recover and start using the account before completing the change-of-email process to seize control of the account.

Non-Verifying Identity Provider (IdP) Attack, in which the attacker creates an account with the target service using a non-verifying IdP. If the victim creates an account using the classic registration method with the same email address, it enables the attacker to gain access to the account.

In an empirical evaluation of 75 of the most popular websites from Alexa, 56 pre-hijacking vulnerabilities were identified on 35 services. This includes 13 Classic-Federated Merge, 19 Unexpired Session Identifier, 12 Trojan Identifier, 11 Unexpired Email Change, and one Non-Verifying IdP attacks -


Dropbox - Unexpired Email Change Attack

Instagram - Trojan Identifier Attack

LinkedIn - Unexpired Session and Trojan Identifier Attacks

Wordpress.com - Unexpired Session and Unexpired Email Change Attacks, and

Zoom - Classic-Federated Merge and Non-verifying IdP Attacks

"The root cause of all of the attacks [...] is a failure to verify ownership of the claimed identifier," the researchers said.


"Although many services do perform this type of verification, they often do so asynchronously, allowing the user to use certain features of the account before the identifier has been verified. Although this might improve usability (reduces user friction during sign up), it leaves the user vulnerable to pre-hijacking attacks."



account pre-hijacking

While implementing strict identifier verification in services is crucial to mitigating pre-hijacking attacks, it's recommended that users secure their accounts with multi-factor authentication (MFA).


"Correctly implemented MFA will prevent the attacker from authenticating to a pre-hijacked account after the victim starts using this account," the researchers noted. "The service must also invalidate any sessions created prior to the activation of MFA to prevent the Unexpired Session attack."


On top of that, online services are also advised to periodically delete unverified accounts, enforce a low window to confirm a change of email address, and invalidate sessions during password resets for a defense in-depth approach to account management.


"When a service merges an account created via the classic route with one created via the federated route (or vice-versa), the service must ensure that the user currently controls both accounts," Sudhodanan and Paverd said.


#THN


#osutayusuf

Comments

Popular posts from this blog

Escaped Murder Suspect Finally Arrested in Yumbe Regional Referral Hospital, Yumbe District.

Story by Osuta Yusuf. 19-November-2024. 📸: Eyotre Kennedy handcuffed on bed while receiving medication this morning at Yumbe Regional Referral Hospital in Yumbe District. Eyotre Kennedy originating from Etoko village, Nyoroo Parish, Nyadri Sub-county in Maracha District who has for many years been terrorizing residents in his village, has finally been arrested this Monday morning 19-November-2024 while receiving treatment at Yumbe Regional Referral Hospital in Yumbe District following injuries he sustained from Theft mission on Saturday night 16-November-2024 in Owapi village, Azapi parish in Odupi Sub-county, Terego East Constituency in Terego District. Click here on the link  https://informationispowah.blogspot.com/2024/11/fugitive-who-chopped-3-people-killed.html   to read the story on his Theft of Goats in Terego. Upon getting cut on the finger and leg by the Mob as he attempted to fight and overpower owner of the goats he attempted to steal on Saturday night ...

41-Years-Old Man Digs His Own Grave in Maracha District.

Story by Osuta Yusuf.  Maracha District.  📸: The grave been dug by Mr Opiga Michael, a victim of frustration. Photo taken by Osuta Yusuf , on Wednesday 11-September-2024. The residents of Ebapi village, Baria Parish in Nyadri Sub-county, Maracha east constituency, Maracha District are in shock after a 41 year old man started digging his own grave. The man, identified as Mr Opiga Michael, who seems to be frustrated over some challenges in life, started digging his own grave on Tuesday 10-September-2024 until he was stopped by the elders in Nyaria clan. 📸: Opiga Michael, the Victim of Frustration. Photo by Osuta Yusuf , Information is Power. While speaking to our reporter on Wednesday evening 11-September-2024, Mr Opiga Michael, said, his main plan  was to commit suicide after finishing digging the grave for burying himself, explained that, he feels frustrated, abandoned and hated by his own clan people, whom he accused of piling lies against him a...

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nil...