About half of popular websites tested found vulnerable to account pre-hijacking

2022-05-25 07:28

"The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account," explain Sudhodanan and Paverd in their paper.

Their threat model makes certain assumptions: that the attacker can access the target service and third-party IdP services; that the attacker can create free and paid accounts at the target service but doesn't have admin rights; that the attacker can create accounts with IdP services and use these with the target service; and that the attacker knows the victim's email address and other basic details like first and last name.

If the service did not invalidate the attacker's maintained sessions, the attacker would then have access to the victim's account.

When the researchers tested 75 popular services from the Alexa top 150 websites to determine whether they could be exploited via pre-hijacking attacks, they found at least 35 were vulnerable to one or more of these techniques.

Microsoft's own LinkedIn was potentially vulnerable to the Unexpired Session Attack, as well as a variant of the Trojan Identifier Attack.

"...Although many services do perform this type of verification, they often do so asynchronously, allowing the user to use certain features of the account before the identifier has been verified. Although this might improve usability, it leaves the user vulnerable to pre-hijacking attacks." .

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/25/web_pre_hijacking/

#hijacking