Online accounts getting hijacked and misused is an everyday occurrence, but did you know that account pre-hijacking attacks are also possible?
Inspired by previous research on preemptive account hijacking by way of single sign-on (SSO) technology, researchers Avinash Sudhodanan and Andrew Paverd wanted to see whether an action by an attacker performed before a victim creates an account may allow the former to gain access to it once the the victim has created/recovered the account.
Depressingly, they found that not only there are several ways an account pre-hijacking attack can be mounted, but also that out of 75 popular websites and online services they tested, at least 35 of these were vulnerable to one or more variant. Among these were Instagram, LinkedIn, Dropbox, Zoom, and WordPress.com.
What makes account pre-hijacking attacks possible?
Exploitable security gaps arise partly because many services support (at least) two different routes for account creation: the “classic” (user choosing username/password) and the federated route (SSO via an Identity Provider, e.g., “Sign in with Microsoft/Google/LinkedIn/etc.”)
“Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account,” Paverd explained.
“Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.”
The researcher identified five types of pre-hijacking attacks:
Classic-Federated Merge Attack:
Using the victim’s email address, the attacker creates an account via the “classic” route -> The victim later creates an account via the “federated” route (using the same email address) -> The service merges these two accounts insecurely, and the attacker still has access to the account.
Unexpired Session Identifier Attack:
Using the victim’s email address, the attacker creates an account via the “classic” route and maintains a long-running active session -> The victim “recovers” the account using the same email address -> The attacker retains access to the account if the password reset did not invalidate the attacker’s session.
Trojan Identifier Attack:
Using the victim’s email address, the attacker creates an account via the “classic” route -> The attacker adds a trojan identifier (e.g. the attacker’s federated identity or another attacker-controlled email address or phone number) to the account -> When the victim resets the password, the attacker can use this trojan identifier to regain access the account (e.g. by resetting the password).
Unexpired Email Change Attack:
The attacker creates an account using the victim’s email address and begins the process of changing the account’s email address to the attacker’s own email address -> The service sends a verification URL to the attacker’s email address, but the attacker confirms the change only after the victim has recovered the account and started using it.
Non-Verifying IdP Attack:
The attacker leverages an IdP that does not verify ownership of an email address when creating a federated identity -> The attacker creates an account with the target service and waits for the victim to create an account using the “classic” route -> If the service incorrectly merges the two accounts based on the email address, the attacker can access the victim’s account.
For all these attacks, the attacker would have to know/discover the email address of the target – a relatively easy feat in this digital age – and identify services at which the victim doesn’t have an account (but is likely to create one in future).
“The attacker might observe a general increase in popularity of a service (e.g., a video conferencing service when people are required to work from home) and pre-hijack accounts for that service using email addresses found through website scraping or credential dumps,” he explained.
Or, as another example, an attacker might target a social media “influencer” with a strong presence on one platform and pre-hijack their account on another social media platform that’s rapidly becoming the “next big thing.”
What can online services and end users do?
The researchers have notified the 35 online services of the vulnerabilities they found, and they confirmed that the named online services have fixed them. It is to be hoped that the others have too, or are in the process of doing so.
“However, it is highly likely that other websites and online services, beyond the 75 we analyzed, will also be vulnerable to these attacks,” Paverd said, and detailed several defense-in-depth security measures for account creation that they might implement to make sure that these attacks cannot be performed.
End users can also do something to protect themselves from pre-hijacking attacks: they can enable multi-factor authentication (MFA) on their accounts as soon as they create them.
“Correctly implemented MFA will prevent the attacker from authenticating to a pre-hijacked account after the victim starts using this account. The service must also invalidate any sessions created prior to the activation of MFA to prevent the Unexpired Session attack,” Paverd concluded.