Getting your online account hacked is bad enough. But getting it hacked before it’s even created is incredibly worse. Two security researchers have just revealed that dozens of online services were not secure enough and allowed hackers to carry out so-called “pre-hijack” attacks. Armed with the victim’s e-mail address, they create an online account in his name. Then, when the target creates their authentic online account on this service, hackers can keep control of it and use it for various operations: espionage, content modification, creation of false content, fraudulent payments, etc.
This is all possible due to a series of flaws researchers have found in the authentication and account recovery processes. The phenomenon is far from being anecdotal. Of 75 online services tested, 35 were vulnerable. Among them are also big names such as LinkedIn, Instagram, Dropbox, Zoom or WordPress.com.
Also see video:
So how is this possible? First, the researchers find that account verification — the email you receive to verify that you are the owner of the address in question — is not sufficient. Sometimes it is not implemented, and when it is, it is sometimes possible to later perform an address change without further verification.
Then, when the victim will create his account, he will of course be warned that it already exists. But she will think that she has forgotten the creation of this account and proceed to a recovery. Several attack scenarios are then possible.
5 attack scenarios
1) Thanks to a script, the hacker managed to keep a connection session open. And this session remains open even if the victim resets his password, which should not be the case. (Unexpired Session Attack)
2) The victim creates his account through a third-party authentication service, such as Google or Apple. If the platform is misconfigured, it will merge accounts without disabling the previously created password. (Classic Federated Merge Attack)
3) Conversely, the attacker can directly create access through an authentication service that does not verify ownership of the victim’s email address. When the victim creates his account normally, this access remains valid. (No Verifying IdP Attack)
4) The attacker creates an account with the victim’s email address and associates another account with it through identity federation. If the victim recovers his account normally, the hacker keeps access through this parallel account (Trojan Identify Attack)
5) The attacker can initiate a change of e-mail address without going through with it. When the victim creates their real account, the hacker finalizes this change and regains access to the account. (Unexpired Email Change Attack).
All 35 vulnerable service providers have been alerted to these flaws and the majority of them have implemented patches. This is particularly the case for LinkedIn and Zoom, which were vulnerable to attacks 1/4 and 2/3 respectively. But some believe that the risk is minor or that it is not their responsibility. Instagram, for example, is vulnerable to Attack #4, but believes it has enough alerts and safeguards in place to avoid this scenario. At worst, it’s the user’s fault.
Note that the researchers were only able to test a small selection of online services. So there are certainly still other platforms that are vulnerable. As a user, one way to protect yourself against these attacks is to activate strong authentication. This prevents hackers from using parallel access.
Sources: Bleeping Computer, Research study