Using Pre-Hijacking Attacks, Hackers Can Compromise Other People’s Accounts Even before They Are Registered

Microsoft Security Response Center analyst Andrew Paverd and independent information security specialist Avinash Sudhodanan described an interesting type of attack, pre-hijacking, in which hackers can compromise other people’s LinkedIn, Zoom, WordPress, Dropbox and other accounts even before they are registered.

Let me remind you that we also wrote that Spyware Predator Uses Five 0-day Vulnerabilities to Attack Android Users.

In total, the experts studied 75 popular online services and found that at least 35 of them were vulnerable to pre-account hacking attacks.

The consequences of pre-hijacking attacks are exactly the same as from an account takeover. Depending on the nature of the target service, a successful attack may allow an attacker to read/modify sensitive information associated with an account (for example, messages, payment documents, usage history, etc.) or perform actions using the identity of the victim (for example, send fake messages, make purchases using saved payment methods, and so on).the authors of the article say.

pre-hijacking attacks

For such an attack to work, the hacker needs to know the email address of his future victim, which is easy to find out through correspondence or through the numerous data leaks that occur almost daily. After that, the attacker must create an account on the vulnerable site using someone else’s email address and hoping that the victim will not pay attention to the notification that came to her mailbox (for example, consider it spam). The attacker then needs to wait until the victim decides to create an account on that site, or trick it into doing so.

As a result, the attacker gets the opportunity to carry out five different attacks.

Classic-federated merge (CFM): The vulnerable platform supports account merging, and when the target creates an account with an existing email address, in some cases it does not even notify this fact. The attack is based on providing the victim with the Single-Sign-On (SSO) option, so the victim does not change the password set by the attacker at all.

Unexpired session (US): After creating an account, the hacker keeps the session active using an automated script. When the victim creates an account and resets the password, the active session may not be invalidated, so the attacker will still have access to the account.

Trojan identifier (TID): combines the Classic-Federated Merge and Unexpired Session attack types. “The attacker creates a pre-hacked account using the victim’s email address and then associates the account with the attacker’s IdP (Identity provider) account for federated authentication. When the victim resets the password (as in a US attack), the attacker still retains access to the account through the federated authentication route,” the article explains.

Unexpired email change (UEC): The attacker creates an account using the victim’s email address and then sends a request to change that address, but does not verify it. After the victim resets the password themselves, the attacker confirms the change and takes control of the account.

Non-verifying IdP (NV): A hacker exploits the lack of verification of IdP ownership when creating an account, which opens up the possibility of abusing cloud login services such as Okta and Onelogin.

Since many services today require new users to verify that the email address belongs to them, creating new accounts with someone else’s email addresses will not work in such cases. For bypassing of this limitation, an attacker can create an account using his own email address and then change it to the victim’s email address, abusing the standard functionality available in most online services.

The researchers write that the most common of all is the Unexpired session problem. Dropbox (UEC), Instagram* (TID), LinkedIn (US), WordPress.com (US and UEC), and Zoom (CFM and NV) are prime examples of large yet vulnerable platforms, they said. The experts reported all the detected problems to the specialists of the companies, and many of which fixed the vulnerabilities, assigning them a high severity category.

pre-hijacking attacks

Unfortunately, experts summarize that they have studied only a few large resources, and similar problems can be found on thousands of other sites. The fact is that almost all online platforms seek to minimize the difficulties during registration, which ultimately negatively affects the security of accounts.

To reduce the risks from such attacks, experts advise users to immediately set up multi-factor authentication for their accounts, which should eventually lead to the cancellation of all previous sessions.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.