Here Are Five Ways Hackers Can Hijack Your Online Accounts Before You Even Make Them
by
Nathan Wasson
—
Tuesday, May 24, 2022, 04:54 PM EDT
Cybersecurity experts are constantly trying to improve user account security. This task can be a difficult one when users don’t take basic steps to secure their own accounts. A recent report found that the most commonly used passwords among business executives are “123456” and “password.” However, even accounts secured with strong, unique passwords and multi-factor authentication aren’t bullet proof. Threat actors can still use phishing techniques, malware, and system breaches to gain access to user accounts.
In recent years, single sign-on (SSO) has become fairly common, with proponents arguing that it increases security. SSO enables users to sign into multiple services using the same identity provider (IdP), such as Google, Facebook, or Microsoft. Users who sign into services with SSO still have separate accounts for those services, but they sign into all of those accounts with their user credentials for their IdP of choice, rather than using unique credentials for each account. SSO has the potential to increase user account security by reducing password fatigue; the idea being that it’s better to protect user accounts with one well secured log in, than to protect them with a whole bunch of weak passwords. However, SSO introduces a single point of failure for all accounts, which can weaken account security.
Beyond introducing a single point of failure, new research shows that SSO has further potential weaknesses. Research supported by Microsoft Security Response Center (MSRC) has revealed five different techniques that attackers can use to preemptively hijack user accounts by leveraging SSO. Unlike more traditional attacks, where a threat actor attempts to gain access to an already extant user account, pre-hijacking attacks require that a threat actor perform an action prior to account creation that will enable the threat actor to gain access to a user account once the user creates the account. What follows are five different account pre-hijacking attack methods.
1 - Classic-Federated Merge Attack
The attacker creates a classic account with a service using the victim’s email address. The victim later creates an account with that same service using SSO. The victim’s email address is linked to the IdP used for SSO, so the service automatically merges the accounts made by the attacker and the victim, granting the attacker access to the victim’s account.
2 - Unexpired Session Identifier Attack
The attacker creates an account with a service using the victim’s email address, then maintains an active session logged into the account. The victim later goes to create an account with the service, but discovers an account already exists, so the victim resets the password to gain access. However, the attacker’s active session remains valid after the password reset, giving the attacker access to the victim’s account.
3 - Trojan Identifier Attack
The attacker creates a classic account with a service using the victim’s email address, then adds an additional identifier to the account, such as an email address or phone number controlled by the attacker. The victim later goes to create an account with the service, but discovers an account already exists, so the victim resets the password to gain access. However, the attacker is able to use the additional identifier linked to the victim’s account to gain access by requesting a one-time sign in link.
4 - Unexpired Email Change Attack
The attacker creates an account with a service using the victim’s email address, then changes the email address associated with the account to an email address controlled by the attacker, but doesn’t confirm the change. The victim later goes to create an account with the service, but discovers an account already exists, so the victim resets the password to gain access. The attacker then confirms the email address change and gain’s access to the victim’s account by requesting a one-time sign in link.
5 - Non-Verifying IdP Attack
The attacker creates an account with a service using SSO. The attacker creates the account with an IdP linked to the victim’s email address. The victim later creates a traditional account with the service, but since the victim’s email address is already associated with the account created by the attacker, the service merges the accounts made by the attacker and the victim, granting the attacker access to the victim’s account.
The cybersecurity researchers analyzed 75 of the most popular websites and online services, and discovered that 35 out of the 75 were vulnerable to at least one of the pre-hijacking attack methods. The vulnerable services included Dropbox, Instagram, LinkedIn, Wordpress, and Zoom. The researchers disclosed these vulnerabilities to the affected websites and services months prior to publishing the research, so these companies and services could patch the vulnerabilities. However, the researchers warn that many other websites and services could still be vulnerable to these pre-hijacking attacks.
A MSRC blog post about the research states that all these attack methods “could be mitigated if the service sent a verification email to the user-provided email address and required the verification to be completed before allowing any further actions on the account.”