We are all acquainted with the idea of account hijacking. But, now we have a new threat upon us - account pre-hijacking. It refers to the hijacking of accounts even before they are created. Let us go over the five kinds of account pre-hijacking attacks delineated by two security researchers in their report.

Classic-federated merge

This kind of attack abuses a flaw arising out of the interaction between two account creation routes. The same email address can be used to create two accounts - one normal account by the user (classic route) and another federated account by the attacker (federated route).

Non-verifying identity provider

In this attack, the attacker creates a normal account while the user creates a federated account. The attacker, subsequently, uses an identity provider that doesn’t require the verification of an email address.

Unexpired email change

This attack abuses a flaw in which the website fails to invalidate an email address after a user resets the password. The hijacker creates an account with the user’s email address and sends a change request to replace the email but doesn’t follow through with it. Once the victim resets the password, the attacker validates control and takes over the account.

Unexpired session

This arises when an authenticated user doesn’t sign out of an active account after resetting the password. The attacker keeps the account active via an automated script.

Trojan identifier

This attack is a combination of classic-federated merge and unexpired session attacks.

Why this matters

The researchers analyzed 75 websites from the Alexa top 150 websites and discovered that 35 of them were prone to at least one of these attacks described above. For instance, DropBox is vulnerable to the unexpired email change attack and LinkedIn is vulnerable to unexpired session and trojan identifier attacks.

The bottom line

The root cause of pre-hijacking attacks is that the service or website fails to verify that the user actually owns a certain email address or phone number. The attacks demonstrated above can be mitigated by verifying ownership of the identifiers. Users can, moreover, protect themselves by implementing MFA if the service or website supports the feature.

Cyware Publisher

Publisher

Cyware