Skip to main content

Learn How Hackers Can Hijack Your Online Accounts Even Before You Create Them.



Malicious actors can gain unauthorized access to users' online accounts via a new technique called "account pre-hijacking," new research has found.


The attack takes aim at the account creation process that's ubiquitous in websites and other online platforms, enabling an adversary to perform a set of actions before an unsuspecting victim creates an account in a target service.


The study was led by independent security researcher Avinash Sudhodanan in collaboration with Andrew Paverd of the Microsoft Security Response Center (MSRC).


Pre-hijacking banks on the prerequisite that an attacker is already in possession of a unique identifier associated with a victim, such as an email address or phone number, which can be obtained either from the target's social media accounts or credential dumps circulating on the web.

The attacks can then play out in five different ways, including the use of the same email address during account creation by both the adversary and the victim, potentially granting the two parties concurrent access to the account.


"If the attacker can create an account at a target service using the victim's email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state," the researchers said.



account pre-hijacking

"After the victim has recovered access and started using the account, the attacker could regain access and take over the account." The five types of pre-hijacking attacks are below -


Classic-Federated Merge Attack, in which two accounts created using classic and federated identity routes with the same email address allow the victim and the attacker to access to the same account.

Unexpired Session Identifier Attack, in which the attacker creates an account using the victim's email address and maintains a long-running active session. When the user recovers the account using the same email address, the attacker continues to maintain access because the password reset did not terminate the attacker's session.

Trojan Identifier Attack, in which the attacker creates an account using the victim's email address and then adds a trojan identifier, say, a secondary email address or a phone number under their control. Thus when the actual user recovers access following a password reset, the attacker can use the trojan identifier to regain access to the account.

Unexpired Email Change Attack, in which the attacker creates an account using the victim's email address and proceeds to change the email address to one under their control. When the service sends a verification URL to the new email address, the attacker waits for the victim to recover and start using the account before completing the change-of-email process to seize control of the account.

Non-Verifying Identity Provider (IdP) Attack, in which the attacker creates an account with the target service using a non-verifying IdP. If the victim creates an account using the classic registration method with the same email address, it enables the attacker to gain access to the account.

In an empirical evaluation of 75 of the most popular websites from Alexa, 56 pre-hijacking vulnerabilities were identified on 35 services. This includes 13 Classic-Federated Merge, 19 Unexpired Session Identifier, 12 Trojan Identifier, 11 Unexpired Email Change, and one Non-Verifying IdP attacks -


Dropbox - Unexpired Email Change Attack

Instagram - Trojan Identifier Attack

LinkedIn - Unexpired Session and Trojan Identifier Attacks

Wordpress.com - Unexpired Session and Unexpired Email Change Attacks, and

Zoom - Classic-Federated Merge and Non-verifying IdP Attacks

"The root cause of all of the attacks [...] is a failure to verify ownership of the claimed identifier," the researchers said.


"Although many services do perform this type of verification, they often do so asynchronously, allowing the user to use certain features of the account before the identifier has been verified. Although this might improve usability (reduces user friction during sign up), it leaves the user vulnerable to pre-hijacking attacks."



account pre-hijacking

While implementing strict identifier verification in services is crucial to mitigating pre-hijacking attacks, it's recommended that users secure their accounts with multi-factor authentication (MFA).


"Correctly implemented MFA will prevent the attacker from authenticating to a pre-hijacked account after the victim starts using this account," the researchers noted. "The service must also invalidate any sessions created prior to the activation of MFA to prevent the Unexpired Session attack."


On top of that, online services are also advised to periodically delete unverified accounts, enforce a low window to confirm a change of email address, and invalidate sessions during password resets for a defense in-depth approach to account management.


"When a service merges an account created via the classic route with one created via the federated route (or vice-versa), the service must ensure that the user currently controls both accounts," Sudhodanan and Paverd said.


#THN


#osutayusuf

Comments

Post a Comment

Popular posts from this blog

Vurra Constituency MP Adriko Yovan gets six months imprisonment for failing to repay loan.

📸: Hon Adriko Yovan. Story By Andrew Cohen Amvesi. ARUA . Yovan Adriko, the Vurra County Member of Parliament (MP) in Arua district has been committed to six months civil prison for failing to clear debts amounting to shs55,677,400. Adriko was on Thursday evening sent to Arua government prison to serve six months shortly after his arrest at Slumberland hotel in Arua City. MP Adriko warrant of committal judgement debtor to jail. Paul Mawa of T/A Vitality Associates, the court bailiff assigned to arrest the MP, duped him to come and pick some money for a land transaction at Slumberland hotel where he picked him like a baby after a long hunt. Adriko was immediately arraigned before Her Worship Karungi Leo, the Deputy Registrar of Arua High Court who later committed him to imprisonment not exceeding six months. Part of Adriko’s warrant of arrest issued b court Adriko was sent to the coolers for failing to clear shs48m which is the princip
1 comment
Read more

Arrested Arua City Officials Taken to Kampala this Night.

Wednesday 8-November-2023. 📸: The arrest of Arua City Physical Planner Mr Findru Moses on 6-Nov-2023 at around 2pm. 📸: Mr Jobile Cornelius the City Deputy town clerk who was arrested on 7-Nov-2023 at around 4pm. 📸: Mrs Lillian Aleni (in red cloth) and Mr Edoni Benard being handcuffed by police officer on 6-Nov-2023 at around 6pm. The bail that was to be issued last night 8pm 7-Nov-2023 to release the arrested City Deputy town clerk Mr Jobile Cornelius and CFO Mr Sam Adriko over mismanagement of government properties and monies was canceled, and by this time of the night 11pm, highly placed sources leaked that, all the arrested suspects (Mr Findru Moses the Arua City Physical Planner, Mr Jobile Cornelius the Deputy City clerk, Mr Adriko Sam the CFO, Mr Edoni Benard the PDM BOG Chairperson for Pangisa ward and Mrs Lillian Aleni the parish chief for Pangisa ward) are being transported by State House Anti-corruption Unit officers who will soon be reac
Post a Comment
Read more

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nile re
Post a Comment
Read more