Security News > 2022 > May > Account pre-hijacking attacks possible on many online services

Online accounts getting hijacked and misused is an everyday occurrence, but did you know that account pre-hijacking attacks are also possible?

Inspired by previous research on preemptive account hijacking by way of single sign-on technology, researchers Avinash Sudhodanan and Andrew Paverd wanted to see whether an action by an attacker performed before a victim creates an account may allow the former to gain access to it once the the victim has created/recovered the account.

Classic-Federated Merge Attack:Using the victim's email address, the attacker creates an account via the "Classic" route -> The victim later creates an account via the "Federated" route -> The service merges these two accounts insecurely, and the attacker still has access to the account.

Unexpired Session Identifier Attack:Using the victim's email address, the attacker creates an account via the "Classic" route and maintains a long-running active session -> The victim "Recovers" the account using the same email address -> The attacker retains access to the account if the password reset did not invalidate the attacker's session.

Trojan Identifier Attack:Using the victim's email address, the attacker creates an account via the "Classic" route -> The attacker adds a trojan identifier to the account -> When the victim resets the password, the attacker can use this trojan identifier to regain access the account.

Unexpired Email Change Attack:The attacker creates an account using the victim's email address and begins the process of changing the account's email address to the attacker's own email address -> The service sends a verification URL to the attacker's email address, but the attacker confirms the change only after the victim has recovered the account and started using it.

News URL

https://www.helpnetsecurity.com/2022/05/24/account-pre-hijacking/