Two security researchers have identified five related techniques for hijacking Internet accounts by preparing them in advance to be commandeered.
And they claim that when they analyzed 75 popular Internet services, almost half were vulnerable to at least one of these techniques.
Avinash Sudhodanan, independent security researcher, and Andrew Paverd, senior researcher at Microsoft, describe their findings in an article titled “Pre-Hijacked Accounts: An Empirical Study of Security Failures in User Account Creation on the Web”.
Scheduled for presentation at the USENIX Security Symposium in August, the paper examines how the interaction between federated identity services and traditional password-based account creation can be exploited because online services often fail to verify that the person connecting has the identifier provided before authorizing the use. Account.
“The distinguishing characteristic of these attacks is that the attacker performs an action before the victim creates an account, which makes it trivial for the attacker to access it after the victim creates/retrieves the account,” Sudhodanan explains. and Paverd in their article.
The two researchers also published a blog post this week about their work.
Previous work in this area was presented at the USENIX conference in 2018 by five researchers from the University of Chicago. He explored how cookie theft could compromise single sign-on (SSO) services that people use through an identity provider (IdP) like Apple, Facebook, Google, or Microsoft.
In this scenario, the attacker has taken control of the victim’s federated identity (IdP) by stealing a session cookie and using it to create an account on an online service where the victim has not yet account created. After the victim then attempts to register with the targeted service, the attacker can take control of that account through the compromised federated login.
There must be five ways to break your security
Sudhodanan and Paverd expanded this attack surface by identifying five related strategies for preventative account takeover that do not involve compromising the federated identity provider account.
Their threat model relies on certain assumptions: that the attacker can access the target service and third-party IdP services; that the attacker can create free and paid accounts on the target service but does not have administrator rights; that the attacker can create accounts with IdP services and use them with the target service; and that the attacker knows the victim’s email address and other basic details like first and last name.
Some of the attack variants assume that the victim can visit a URL controlled by the attacker. The threat model also assumes that the victim has enough security knowledge not to respond to phishing, but allows the victim to ignore notifications sent by services where the victim has not yet created an account – a hypothesis that the researchers say is supported by previous research. So, although these attacks do not depend directly on social engineering, they do rely on certain types of social behavior.
The first of these is called the classic federated merge attack, which requires the target service to support both classic account creation (providing email address and password) and SSO account creation via an IdP like Facebook Login.
The attacker uses the classic approach to open an account using the victim’s email address and a password chosen by the attacker. Then, later, the victim registers via an IdP.
What will happen next is not certain. The victim may or may not pay attention to account creation or pre-existing account notifications, and could thwart the attack with a password reset. But the attacker can also continue to be able to log in via the classic method while the victim accesses the account via IdP.
The second technique is called an unexpired session attack, which requires the target service to support password resets and multiple concurrent sessions.
How attacks can be pulled off… Source: Andrew Paverd / Microsoft. Click to enlarge
This attack exploits a vulnerability where authenticated users are not logged out of an account when the password is reset. “This allows the attacker to retain access to a pre-hacked account even after the victim resets the password.”
In this scenario, the attacker creates an account using the victim’s email, then logs in and keeps the session active indefinitely, likely via a script.
The victim should try to create an account on the target service. Seeing that an account already exists, the victim can then try to reset the password. But if the service did not invalidate the attacker’s maintained sessions, then the attacker would have access to the victim’s account.
Other pre-hack attacks described include Trojan Identifier, Unxpired Email Change, and Non-verifying IdP.
Not a small problem
This all may seem quite speculative as it is not guaranteed to work. But they’ve proven convenient enough to try out a wide variety of popular online services. When researchers tested 75 popular services from Alexa’s top 150 websites to see if they could be exploited via pre-hacking attacks, they found that at least 35 were vulnerable to one or more of these techniques.
Dropbox, for example, was found to be vulnerable to the unexpired email change attack. Instagram was found to be vulnerable to the Trojan Identifier attack. Microsoft’s LinkedIn was potentially vulnerable to the unexpired session attack, as well as a variant of the Trojan horse identifier attack. WordPress and Zoom were each found to be vulnerable to two of these attacks.
Sudhodanan and Paverd say they responsibly disclosed all 56 vulnerabilities they identified for 35 services, 19 of which were reported by third-party bug services like HackerOne, Bugcrowd, and Federacy. They say they also contacted 11 other companies through their security reporting email addresses. In theory, companies that have received these reports will have already dealt with them.
“The root cause of all attacks identified in previous sections is the inability to verify ownership of the claimed identifier,” the researchers conclude. “…While many services perform this type of verification, they often do so asynchronously, allowing the user to use certain account features before the ID has been verified. improve usability (reduces user friction during registration), it makes the user vulnerable to pre-hacking attacks.” ®