Microsoft Security Response Center analyst Andrew Paverd and independent information security specialist Avinash Sudhodanan described an interesting type of attack, pre-hijacking, in which hackers can compromise other people’s LinkedIn, Zoom, WordPress, Dropbox and other accounts even before they are registered.
Let me remind you that we also wrote that Spyware Predator Uses Five 0-day Vulnerabilities to Attack Android Users.
In total, the experts studied 75 popular online services and found that at least 35 of them were vulnerable to pre-account hacking attacks.
For such an attack to work, the hacker needs to know the email address of his future victim, which is easy to find out through correspondence or through the numerous data leaks that occur almost daily. After that, the attacker must create an account on the vulnerable site using someone else’s email address and hoping that the victim will not pay attention to the notification that came to her mailbox (for example, consider it spam). The attacker then needs to wait until the victim decides to create an account on that site, or trick it into doing so.
As a result, the attacker gets the opportunity to carry out five different attacks.
Classic-federated merge (CFM): The vulnerable platform supports account merging, and when the target creates an account with an existing email address, in some cases it does not even notify this fact. The attack is based on providing the victim with the Single-Sign-On (SSO) option, so the victim does not change the password set by the attacker at all.
Unexpired session (US): After creating an account, the hacker keeps the session active using an automated script. When the victim creates an account and resets the password, the active session may not be invalidated, so the attacker will still have access to the account.
Trojan identifier (TID): combines the Classic-Federated Merge and Unexpired Session attack types. “The attacker creates a pre-hacked account using the victim’s email address and then associates the account with the attacker’s IdP (Identity provider) account for federated authentication. When the victim resets the password (as in a US attack), the attacker still retains access to the account through the federated authentication route,” the article explains.
Unexpired email change (UEC): The attacker creates an account using the victim’s email address and then sends a request to change that address, but does not verify it. After the victim resets the password themselves, the attacker confirms the change and takes control of the account.
Non-verifying IdP (NV): A hacker exploits the lack of verification of IdP ownership when creating an account, which opens up the possibility of abusing cloud login services such as Okta and Onelogin.
Since many services today require new users to verify that the email address belongs to them, creating new accounts with someone else’s email addresses will not work in such cases. For bypassing of this limitation, an attacker can create an account using his own email address and then change it to the victim’s email address, abusing the standard functionality available in most online services.
The researchers write that the most common of all is the Unexpired session problem. Dropbox (UEC), Instagram* (TID), LinkedIn (US), WordPress.com (US and UEC), and Zoom (CFM and NV) are prime examples of large yet vulnerable platforms, they said. The experts reported all the detected problems to the specialists of the companies, and many of which fixed the vulnerabilities, assigning them a high severity category.
Unfortunately, experts summarize that they have studied only a few large resources, and similar problems can be found on thousands of other sites. The fact is that almost all online platforms seek to minimize the difficulties during registration, which ultimately negatively affects the security of accounts.
To reduce the risks from such attacks, experts advise users to immediately set up multi-factor authentication for their accounts, which should eventually lead to the cancellation of all previous sessions.
