Jun 01, 2022 06:00:00

A vulnerability that allows 'pre-hijacking' of accounts is discovered on Instagram, Zoom, LinkedIn, etc.

According to a security investigation supported by the

Microsoft Security Response Center (MSRC) , 'account pre-hijacking' is used to hack accounts before users create accounts for various services with high access. It turned out to be vulnerable to 'attacks)'.

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web
(PDF file) https://arxiv.org/pdf/2205.10174.pdf

Account pre-hijacking attacks possible on many online services --Help Net Security
https://www.helpnetsecurity.com/2022/05/24/account-pre-hijacking/

Dozens of high-traffic websites vulnerable to'account pre-hijacking', study finds | The Daily Swig
https://portswigger.net/daily-swig/dozens-of-high-traffic-websites-vulnerable-to-account-pre-hijacking-study-finds

A 'pre-takeover attack' is carried out by exploiting single sign-on , which allows you to create an account for another service using an account such as Microsoft or Google. Malicious attackers are victims of the security gap between the classic account opening method 'classic' that uses email addresses and passwords and the ' federation ' that links authentication information between services. It is possible to establish an intrusion route before creating an account.

Specifically, the following five methods have been identified.

◆ Classic Federation Integrated Attack
In this attack, the attacker first creates an account in 'classic' that uses the victim's email address. Later, if the victim opens an account in 'Federation' using the same email address, the two accounts will be merged and the attacker will be able to access the victim's account.

◆ Session ID attack that has not expired
This attack exploits a vulnerability in which users are not signed out of their accounts when they reset their passwords. In this attack, the attacker first creates an account in 'classic' and then keeps access by using a script that operates regularly.

After that, when the victim tries to open an account with the same email address, it will not be displayed if the account already exists. The victim who thought 'Maybe I created an account before but forgot it' resets the password by restoring the account and uses the service, but the attacker's session remains valid, so the damage The person's data will be lost to the attacker.

◆ Trojan ID attack
In this attack, the attacker first creates an account using the victim's email address and their own password. The attacker then adds his federation ID to his account. The victim then recovers the password and uses the account in the same way as an 'unexpired session ID attack', but the attacker can also access the account with his or her own ID. In other words, in this method, the ID added to the account in advance will function as a Trojan horse.

◆ Email address change attack that has not expired
The attacker first creates an account using the victim's email address, then initiates the procedure to change that email address to his own email address and leaves it in the process of being changed. Then, the victim's email address and the attacker's email address will remain linked in the account. The attacker then completes the email address change procedure again after the victim restores the account and begins using it, and hijacks the account.

◆ Non-verified IdP attack
IdP is an

identity provider that stores your user ID. The attacker first creates a federation ID using IdP that does not verify the owner of the email address, creates an account, and changes the email address to the victim's email address. After that, if the victim opens an account with his / her email address and password, the service side will integrate the two accounts with the same email address, and the attacker will be able to access the victim's account.

In this study, independent security researchers Avinash Sudhodanan and MSRC Andrew Paverd analyzed 75 high-traffic sites and found that at least 35 services were capable of 'pre-hijacking' accounts. I found out. These services included well-known services such as Dropbox, Instagram, LinkedIn, WordPress.com and Zoom. The research team has already reported to these services about 'pre-hijacking attacks', and each service is implementing corrections.

As a lesson for the service side to prevent such hacking, the research team said, 'Before creating a new account with an ID such as an email address or phone number provided by the user or adding them to an existing account. , Make sure the ID really belongs to the user. '

The research team also recommended that the average user of the service enable multi-factor authentication . This makes it possible to prevent most of the 'pre-hijacking attacks'. He also said that receiving an email about an account that you don't remember creating is one of the precursors to hacking, so don't ignore it and report to the service.