Account pre-hijacking attacks possible on many online services

Online accounts hijacked and misused are commonplace, but did you know pre-account takeover attacks are also possible?

Inspired by previous research on preventative account takeover using single sign-on (SSO) technology, researchers Avinash Sudhodanan and Andrew Paverd wanted to see if an attacker’s action taken before a victim creates a account could allow the first to access once the victim created/recovered the account.

Unfortunately, they found that not only are there multiple ways to mount an account pre-hacking attack, but also that out of 75 popular websites and online services they tested, at least 35 of them were vulnerable to one or more variants. These included Instagram, LinkedIn, Dropbox, Zoom and WordPress.com.

What makes pre-account takeover attacks possible?

Exploitable security vulnerabilities arise in part because many services support (at least) two different routes for account creation: the “classic” route (user chooses their username/password) and the federated route (SSO via an identity provider, e.g. “Sign in with Microsoft/Google/LinkedIn/etc.”)

“Basically, the root cause of pre-account takeover vulnerabilities is that the service fails to verify that the user actually owns the provided identifier (e.g., email address or phone number) before to authorize the use of the account,” explained Paverd.

“While many services require credential verification, they often do so asynchronously, allowing the user (or attacker) to use certain account features before the credential has been verified. While this may improve usability, it creates a window of vulnerability for pre-hacking attacks.

The researcher identified five types of pre-hack attacks:

Classic Federated Fusion Attack:
From the victim’s email address, the attacker creates an account via the “classic” route -> The victim then creates an account via the “federated” route (using the same email address) -> The service merges these two accounts in an insecure manner, and the attacker still has access to the account.

Unexpired Session ID Attack:
Using the victim’s email address, the attacker creates an account via the “classic” route and maintains a long-lasting active session -> Victim “recovers” the account using the same email address – > The attacker retains access to the account if resetting the password did not invalidate the attacker’s session.

Trojan ID attack:
Using the victim’s email address, the attacker creates an account via the “classic” route -> Attacker adds a Trojan ID (e.g. attacker’s federated identity or a other email address or phone number controlled by the attacker) to the account -> When the victim resets the password, the attacker can use this Trojan ID to regain access to the account (e.g. by resetting the password).

Unexpired email modification attack:
The attacker creates an account using the victim’s email address and begins the process of changing the account’s email address to the attacker’s own email address -> Service sends URL verification to the attacker’s email address, but the attacker only confirms the change after the victim recovers the account and starts using it.

IdP attack without verification:
Attacker exploits an IdP that does not verify ownership of an email address when creating a federated identity -> Attacker creates an account with the target service and waits for the victim to create an account using the “classic” route -> If the service incorrectly merges the two accounts based on the email address, the attacker can gain access to the victim’s account.

For all of these attacks, the attacker would need to know/discover the target’s email address – a relatively easy feat in the digital age – and identify the services on which the victim does not have an account (but is likely to create one in the future).

“The attacker can observe a general increase in the popularity of a service (for example, a video conferencing service when people have to work from home) and pre-hack accounts for that service using email addresses found via website scraping or credential dumps,” he said. Explain.

Or, as another example, an attacker can target a social media “influencer” with a strong presence on one platform and pre-hack their account on another social media platform that quickly becomes the “next thing”.

What can online services and end users do?

The researchers notified the 35 online services of the vulnerabilities they found, and they confirmed that the named online services had fixed them. It is to be hoped that the others have also done so or are in the process of doing so.

“However, it is highly likely that other websites and online services, beyond the 75 we analyzed, will also be vulnerable to these attacks,” Paverd said, and detailed several defensive security measures in depth for account creation that they could implement to make sure these attacks cannot be performed.

End users can also do something to protect themselves from pre-hacking attacks: they can enable multi-factor authentication (MFA) on their accounts as soon as they create them.

“A properly implemented MFA will prevent the attacker from authenticating to a pre-hacked account once the victim has started using that account. The service should also invalidate all sessions created before MFA was enabled to prevent the unexpired session attack,” Paverd concluded.

Veronica J. Snell