Validation check loopholes exposed
Malicious actors can take unauthorized ownership of online accounts even before their victims sign up for services, according to new research backed by the Microsoft Security Response Center (MSRC).
Dubbed ‘account pre-hijacking’, the class of attack involves an attacker setting an account takeover exploit in motion before the victim has even registered with an online service. After the victim signs up, the attacker takes advantage of security holes in the service’s authentication mechanisms to access or take ownership of the newly-created account.
The study (PDF) found dozens of high-traffic services to be vulnerable to at least one type of pre-hijacking attack. The research sheds light on the security issues surrounding account creation, a seldom scrutinised issue.
More than one way to pre-hijack an account
The research was supported by one of the Identity Project Research Grants awarded by the MSRC in early 2020.
“In this project, we explored several topics, but soon noticed a pattern emerging around the ‘pre-hijacking’ threat model,” Andrew Paverd, a senior researcher at MSRC, and independent researcher Avinash Sudhodanan told The Daily Swig.
Account pre-hijacking assumes that the victim doesn’t yet have an account on the target service and the attacker knows the email and other basic details of the victim. The researchers discovered five types of pre-hijacking attack scenarios.
Some take advantage of multiple account creation modes supported by many online services. On many websites, users can directly provide an email address and password to create their account or use federated authentication by using a consumer-focused single sign-on (SSO) service, as provided by the likes of Facebook, Google, and Microsoft.
DON’T FORGET TO READ Security ‘researcher’ hits back against claims of malicious CTX file uploads
For example, in one type of attack, the attacker creates an account with the victim’s email address. The victim then creates an account using the federated approach. In some services, this merges the attacker’s and victim’s accounts, giving them both simultaneous access to the same account.
In another type of attack, the attacker creates an account with the victim’s email and associates their own federated identity to the same account. When the victim tries to create their account, they will be prompted to reset their password. The victim will obtain access to the account, but the attacker will also be able to access the account through the SSO identity.
The researchers said: “It’s very positive to see how many online services are moving towards single sign-on [but] this means that they might have to support multiple login mechanisms. This in itself is not necessarily an issue, and many services do this securely.
“Our research simply points out some subtle pitfalls to be aware of when supporting multiple login mechanisms,” the researchers added.
Paverd and Sudhodanan pointed out that three of the attacks they found do not require the service to support multiple login mechanisms.
For example, in one scheme, the attacker’s session might remain active even after the victim recovers their account and resets the password.
In yet another scenario, the attacker creates an account with the victim’s email and initiates an email change request to the attacker’s own email address. The attacker then waits for the victim to claim the account before completing the email change request and taking ownership of the account.
Top services affected
In their study, the researchers examined 75 services that ranked among Alexa’s list of top-150 high-traffic domains. At least 35 were affected by one or more account pre-hijacking attacks, including Dropbox, Instagram, LinkedIn, WordPress.com, and Zoom. Fortunately, all the affected services were notified of the vulnerabilities and have implemented the necessary fixes.
“We think that a lack of awareness may have been the main cause of these potential vulnerabilities. We are therefore publishing this research to raise awareness and help organizations mitigate these vulnerabilities,” Paverd and Sudhodanan said.
The most important takeaway, the researchers concluded, is “to verify that the user actually owns any user-supplied identifiers (e.g., email address or phone number) before using them to create a new account or adding them to an existing account”. This would mitigate all types of pre-hijacking attacks identified to date.
The researchers’ paper also describes several other possible defense-in-depth strategies.
They recommended that users enable multi-factor authentication (MFA) whenever possible because it stops most pre-hijacking attacks they uncovered.
Another sign of account pre-hijacking is receiving an email about an account that you did not create, which users usually ignore. “Report this to the relevant website,” the researchers said.