About half of popular websites tested found vulnerable to account pre-hijacking

In detail: Ocean's Eleven-grade ruse in which victims' profiles are rigged from the start


Two security researchers have identified five related techniques for hijacking internet accounts by preparing them to be commandeered in advance.

And they claim that when they analyzed 75 popular internet services, almost half were vulnerable to at least one of these techniques.

Avinash Sudhodanan, an independent security researcher, and Andrew Paverd, a senior researcher at Microsoft, describe their findings in a paper titled, "Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web."

Scheduled for presentation at the USENIX Security Symposium in August, the paper examines how the interplay between federated identity services and traditional password-based account creation can be exploited because online services frequently fail to verify that the person signing in owns the supplied identifier before allowing use of the account.

"The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account," explain Sudhodanan and Paverd in their paper.

The two researchers also published a blog post about their work this week.

Prior work in this area was presented at the USENIX conference in 2018 by five University of Chicago researchers. It explored how cookie theft could compromise Single Sign-On (SSO) services that people use through an Identity Provider (IdP) like Apple, Facebook, Google, or Microsoft.

In that scenario, the attacker gained control of the victim's federated identity (IdP) by stealing a session cookie and using it to create an account at an online service where the victim hasn't yet established an account. After the victim subsequently tries to sign up for the targeted service, the attacker can take over that account through the compromised federated login.

There must be five ways to break your security

Sudhodanan and Paverd have expanded this attack surface by identifying five related strategies for preemptive account hijacking that don't involve compromising the federated identity provider account.

Their threat model makes certain assumptions: that the attacker can access the target service and third-party IdP services; that the attacker can create free and paid accounts at the target service but doesn't have admin rights; that the attacker can create accounts with IdP services and use these with the target service; and that the attacker knows the victim's email address and other basic details like first and last name.

Some of the attack variations assume being able to make the victim visit an attacker-controlled URL. The threat model also posits that the victim has enough security awareness to not respond to phishing, but allows that the victim ignores notifications sent from services where the victim has not yet established an account – an assumption the researchers claim is supported by prior research. As such, while these attacks do not depend directly on social engineering, they rely on certain kinds of social behavior.

The first of this is called the Classic-Federated Merge Attack, which requires the target service to support both classic (supply email address and password) account creation and SSO account creation through an IdP like Facebook Login.

The attacker uses the classic approach to sign for an account using the victim's email address and an attacker-chosen password. Then at some later time, the victim signs up via an IdP.

It's not certain what will happen next. The victim may or may not pay attention to notifications of account creation or of a pre-existing account, and could thwart the attack with a password reset. But the attacker may also continue to be able to sign in via the classic method while the victim accesses the account via IdP.

The second technique is called an Unexpired Session Attack, which requires the target service to support password resets and multiple concurrent sessions.

Attack tree of account pre-hijacking attacks

How the attacks can be pulled off ... Source: Andrew Paverd / Microsoft. Click to enlarge

"This attack exploits a vulnerability in which authenticated users are not signed out of an account when the password is reset," the researchers explain. "This allows the attacker to retain access to a pre-hijacked account even after the victim resets the password."

In this scenario, the attacker creates an account using the victim's email then logs in and keeps the session active indefinitely, likely via script.

The victim would have to try to create an account at the target service. Upon seeing that an account already exists, the victim might then try to reset the password. But if the service did not invalidate the attacker's maintained sessions, the attacker would then have access to the victim's account.

Other pre-hijacking attacks described include Trojan Identifier, Unexpired Email Change, and Non-verifying IdP.

Not a small problem

These all may sound fairly speculative because they're not guaranteed to work. But they proved workable enough to try on a wide variety of popular online services. When the researchers tested 75 popular services from the Alexa top 150 websites to determine whether they could be exploited via pre-hijacking attacks, they found at least 35 were vulnerable to one or more of these techniques.

Dropbox, for example, was found to be vulnerable to the Unexpired Email Change Attack. Instagram was found to be vulnerable to the Trojan Identifier Attack. Microsoft's own LinkedIn was potentially vulnerable to the Unexpired Session Attack, as well as a variant of the Trojan Identifier Attack. WordPress and Zoom were each found to be vulnerable to two of these attacks.

Sudhodanan and Paverd say that they responsibly disclosed all of the 56 vulnerabilities they identified for 35 services, 19 of which were reported through third-party bug services like HackerOne, Bugcrowd, and Federacy. They say they also contacted an additional 11 companies via their security reporting email addresses. In theory, the companies that received these reports will have addressed them by now.

"The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier," the researchers conclude. "...Although many services do perform this type of verification, they often do so asynchronously, allowing the user to use certain features of the account before the identifier has been verified. Although this might improve usability (reduces user friction during sign up), it leaves the user vulnerable to pre-hijacking attacks." ®

Broader topics


Other stories you might like

  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022