Blogger websites

At least 35 out of 75 popular websites tested were found to be vulnerable to account pre-hijacking

The Registry reported that two security researchers discovered five related techniques to preemptively hijack Internet accounts.

(Photo: Jack Guez/Getty Images)

In an article titled “Prehacked Accounts: An Empirical Study of Security Failures in User Account Creation on the Web”, Avinash Sudhodanan, Independent Security Researcher, and Andrew Paverd, Senior Researcher at Microsoft, discuss their conclusions.

Since online services typically fail to verify that the person logging in has the provided identification before authorizing account use, the article explores how to exploit the interaction between federated identity services. and traditional password-based account creation.

5 types of pre-hijack attacks

The two researchers also wrote a blog post about their findings, describing five different types of pre-hack attacks.

At least 35 out of 75 popular websites tested were found to be vulnerable to account pre-hijacking

(Photo: Microsoft Security Response Center / Screenshot taken from official Microsoft Security Response Center website)

1. Classic Federated Fusion Attack: This takes advantage of a loophole in the interaction between conventional and federated account creation processes.

2. Unexpired session id attack: This exploits a weakness where authenticated users are not automatically logged out of an account when they reset their password.

3. Trojan id attack: This exploits the attacker’s ability to bind an additional ID to an account created through the standard username and password method.

4. Unexpired email change attack: This uses a potential flaw in which the service fails to invalidate email change capability URLs after a user changes their password.

5. IdP attack without verification: This is the mirror image of the classic federated fusion attack. When creating a federated identity, the attacker uses an IdP that does not validate ownership of an email address.

The blog noted that all of these methods require the attacker to identify services where the victim does not currently have an account but is likely to create one in the future.

Read more: Cybercriminals Weaponize Ransomware – How Deadly Is It?

Nearly half of the 75 popular services tested could be exploited via pre-hijacking attacks

According to The Register, since none of these are guaranteed to work, they might seem speculative. However, they have proven to be functional enough to be tested on a range of popular internet services.

When researchers evaluated 75 popular services from Alexa’s top 150 websites to see if they could be exploited via pre-hacking attacks, they found that at least 35 of them could be exploited using a or more of these methods.

The change unexpired email attack, for example, was discovered to be vulnerable to Dropbox. Trojan Identifier Attack was discovered as sensitive on Instagram. The unexpired session attack, as well as a variant of the Trojan credential attack, were both possible targets for Microsoft’s LinkedIn. Two of these attacks were found to be vulnerable in both WordPress and Zoom.

Sudhodanan and Paverd claim to have responsibly exposed the 56 vulnerabilities they discovered for 35 services, 19 of which were reported by third-party bug services such as HackerOne, Bugcrowd and Federacy. They also claimed to have contacted 11 other companies using their security reporting email addresses. Companies that have received these reports should, in theory, have already dealt with them.

At least 35 out of 75 popular websites tested were found to be vulnerable to account pre-hijacking

(Photo: Microsoft Security Response Center / Screenshot taken from official Microsoft Security Response Center website)

Related Article: US University to Close Permanently Following Ransomware Attack