Skip links

About half of popular websites tested found vulnerable to account pre-hijacking

Two security researchers have identified five related techniques for hijacking internet accounts by preparing them to be commandeered in advance.

And they claim that when they analyzed 75 popular internet services, almost half were vulnerable to at least one of these techniques.

Avinash Sudhodanan, an independent security researcher, and Andrew Paverd, a senior researcher at Microsoft, describe their findings in a paper titled, “Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web.”

Scheduled for presentation at the USENIX Security Symposium in August, the paper examines how the interplay between federated identity services and traditional password-based account creation can be exploited because online services frequently fail to verify that the person signing in owns the supplied identifier before allowing use of the account.

“The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account,” explain Sudhodanan and Paverd in their paper.

The two researchers also published a blog post about their work this week.

Prior work in this area was presented at the USENIX conference in 2018 by five University of Chicago researchers. It explored how cookie theft could compromise Single Sign-On (SSO) services that people use through an Identity Provider (IdP) like Apple, Facebook, Google, or Microsoft.

In that scenario, the attacker gained control of the victim’s federated identity (IdP) by stealing a session cookie and using it to create an account at an online service where the victim hasn’t yet established an account. After the victim subsequently tries to sign up for the targeted service, the attacker can take over that account through the compromised federated login.

There must be five ways to break your security

Sudhodanan and Paverd have expanded this attack surface by identifying five related strategies for preemptive account hijacking that don’t involve compromising the federated identity provider account.

Their threat model makes certain assumptions: that the attacker can access the target service and third-party IdP services; that the attacker can create free and paid accounts at the target service but doesn’t have admin rights; that the attacker can create accounts with IdP services and use these with the target service; and that the attacker knows the victim’s email address and other basic details like first and last name.

Some of the attack variations assume being able to make the victim visit an attacker-controlled URL. The threat model also posits that the victim has enough security awareness to not respond to phishing, but allows that the victim ignores notifications sent from services where the victim has not yet established an account – an assumption the researchers claim is supported by prior research. As such, while these attacks do not depend directly on social engineering, they rely on certain kinds of social behavior.

The first of this is called the Classic-Federated Merge Attack, which requires the target service to support both classic (supply email address and password) account creation and SSO account creation through an IdP like Facebook Login.

The attacker uses the classic approach to sign for an account using the victim’s email address and an attacker-chosen password. Then at some later time, the victim signs up via an IdP.

It’s not certain what will happen next. The victim may or may not pay attention to notifications of account creation or of a pre-existing account, and could thwart the attack with a password reset. But the attacker may also continue to be able to sign in via the classic method while the victim accesses the account via IdP.

The second technique is called an Unexpired Session Attack, which requires the target service to support password resets and multiple concurrent sessions.

Attack tree of account pre-hijacking attacks

How the attacks can be pulled off … Source: Andrew Paverd / Microsoft. Click to enlarge

“This attack exploits a vulnerability in which authenticated users are not signed out of an account when the password is reset,” the researchers explain. “This allows the attacker to retain access to a pre-hijacked account even after the victim resets the password.”

In this scenario, the attacker creates an account using the victim’s email then logs in and keeps the session active indefinitely, likely via script.

The victim would have to try to create an account at the target service. Upon seeing that an account already exists, the victim might then try to reset the password. But if the service did not invalidate the attacker’s maintained sessions, the attacker would then have access to the victim’s account.

Other pre-hijacking attacks described include Trojan Identifier, Unexpired Email Change, and Non-verifying IdP.

Not a small problem

These all may sound fairly speculative because they’re not guaranteed to work. But they proved workable enough to try on a wide variety of popular online services. When the researchers tested 75 popular services from the Alexa top 150 websites to determine whether they could be exploited via pre-hijacking attacks, they found at least 35 were vulnerable to one or more of these techniques.

Dropbox, for example, was found to be vulnerable to the Unexpired Email Change Attack. Instagram was found to be vulnerable to the Trojan Identifier Attack. Microsoft’s own LinkedIn was potentially vulnerable to the Unexpired Session Attack, as well as a variant of the Trojan Identifier Attack. WordPress and Zoom were each found to be vulnerable to two of these attacks.

Sudhodanan and Paverd say that they responsibly disclosed all of the 56 vulnerabilities they identified for 35 services, 19 of which were reported through third-party bug services like HackerOne, Bugcrowd, and Federacy. They say they also contacted an additional 11 companies via their security reporting email addresses. In theory, the companies that received these reports will have addressed them by now.

“The root cause of all of the attacks identified in the preceding sections is failure to verify ownership of the claimed identifier,” the researchers conclude. “…Although many services do perform this type of verification, they often do so asynchronously, allowing the user to use certain features of the account before the identifier has been verified. Although this might improve usability (reduces user friction during sign up), it leaves the user vulnerable to pre-hijacking attacks.” ®