Researchers have discovered that hackers can access users’ online accounts using account pre-hijacking. Put another way, a hacker can perform a set of actions before an unsuspecting victim even creates an account.
The Microsoft Security Response Center reported that these attacks have the same effect as account hijacking. They can allow the attacker to access a victim’s confidential information without their knowledge.
The study found that at least 35 of 75 popular online services are vulnerable to pre-hijacking attacks. These services include those offered by Instagram, LinkedIn, Zoom, WordPress, and Dropbox.
Pre-hijacking relies on attackers already having a unique identifier associated with a victim, such as a victim’s email address or phone number found from the victim’s social media accounts or previous data breaches.
“If the attacker can create an account at a target service using the victim’s email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state,” the researchers said.
To begin with, the hacker might already know what services the victim uses, such as an email account.
Furthermore, the attacker might discover that a large organization is using a shared service and pre-hijack any accounts associated with that organization. Additionally, an observer might determine that a service is becoming popular, such as Zoom, where people can work remotely.
Three account pre-hijacking attacks
First, in the classical federated merge, the hacker uses account merging when the target creates an account with an existing email address. In addition, the hacker starts a password, and a victim may never change their password.
Secondly, the hacker keeps the session active after creating the account using an automated script in the unexpired session attack. Generally, with account pre-hijacking, the victim cannot sign out when a session is active. As a result, the hacker can continue accessing the account.
Third, the attacker creates an account using the victim’s email address in the unexpired email change attack. Eventually, the hacker submits a change request for that email. But it doesn’t confirm. After the victim resets a password, the attacker validates the change and assumes control of the account.