Threat actors could gain access to users’ online accounts by exploiting a new type of technique that involves pre-hijacking an account before it is actually registered by the victim.
“Account pre-hijacking” is a new class of attack that can be used to gain access to a targeted account, and many online services could be vulnerable.
The account pre-hack was analyzed by independent researcher Avinash Sudhodanan and Andrew Paverd of the Microsoft Security Response Center. Microsoft funded the project with a grant that offered up to $75,000 for proposals to improve the security of its identity solutions.
Compromised accounts are involved in many attacks, but targeted accounts are taken over by the attacker after they are created. In pre-hijack attacks, the attacker predicts which online service the targeted person will use and conducts certain activities before the victim creates an account.
These attacks may involve federated identity and single sign-on (SSO) services, which allow users to sign up for certain online services using existing accounts registered with companies such as Microsoft, Google, and Facebook.
In a research paper published last week, Sudhodanan and Paverd described five types of pre-hijack attack methods. In one type of attack, the hacker creates an account using the victim’s email address, and the victim then registers on the same website using a federated identity service. If the website is unable to securely merge the two accounts, both the attacker and the victim could gain access to the account.
It could also work if the attacker registers an account using a federated identity while the victim creates an account on the same website using the regular registration process.
Another method involves unexpired session IDs. The attacker creates an account with the victim’s email address and maintains a long-lasting active session. The legitimate user can reset the password in order to gain access to the account, but the attacker could still retain access if their session was not invalidated following the password reset.
An attacker could also create an account and add a so-called “Trojan ID” which would later give them access to an account. This can be an alternate email address or phone number where password reset or one-time authentication links are sent.
Another interesting technique is for the attacker to initiate the process of changing an account’s email address to one they control. This process usually involves sending a verification URL to the new address. However, the attacker only completes the verification process at a later date, allowing him to regain access to an account after it has been used by the victim for some time.
Researchers analyzed 75 popular services and found that at least 35 of them were vulnerable to one or more pre-account takeover attacks. The list includes popular social media, cloud storage, video conferencing and blogging services. Affected providers were notified between March and September 2021, but many online services may still be vulnerable.
While these methods can be used against individual users, researchers believe they could also be used to target an entire organization. For example, the attacker could sign up for a service that is gaining popularity using previously leaked accounts. In attacks against an organization, if the attacker knows they plan to use a particular service in the future, they can create accounts with publicly available email addresses.
“Basically, the root cause of pre-account takeover vulnerabilities is that the service fails to verify that the user actually owns the provided identifier (e.g., email address or phone number) before to authorize use of the account,” the researchers explained. “While many services require credential verification, they often do so asynchronously, allowing the user (or attacker) to use certain account features before the credential has been verified. While this may improve usability, it creates a window of vulnerability for pre-hacking attacks.
Related: Multi-Factor Authentication Bypass Led to Box Account Takeover
Related: GitLab fixes a critical account takeover vulnerability
Related: Microsoft Pays $50,000 Bounty for Account Takeover Vulnerability