Most computer users are aware that criminals may gain access to their online accounts, for instance, by stealing or guessing the password, through phishing or other forms of attack.
Many may not be aware of a new attack type that is creating accounts with a user’s email address before the user does so. Malicious actors use account pre-hijacking attacks to prepare user accounts for full takeovers. The attacker creates accounts on sites and services using a victim’s email address. Various techniques are then used to “put the account into a pre-hijacked state”. Once a victim has recovered access to the account, after finding out during sign-up that an account with the victim’s email address exists already, attacks are carried out to take over the account fully.
Not all websites and services are vulnerable to account pre-hijacking attacks, but security researcher Avinash Sudhodanan believes that a significant number is. Sudhodanan published the research paper “Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web” in May 2022 in which he describes five types of pre-hijacking attacks.
The creation of online accounts has evolved on the Internet. Previously, users used an identifier and password to create accounts. These accounts were linked to a user’s email address usually. The method is still available on today’s Internet, but sites started to support federated authentication as well, often in addition to supporting traditional account creation processes.
Federated authentication, for example, Single Sign-On, adds a new layer of complexity to the user creation process, as sites and services often support both options. Companies such as Facebook, Microsoft or Google support federated authentication and act as identity providers. Users users may sign-up to third-party services that support Single Sign-On and the user’s identity provider. Some sites allow users to link classic user accounts to Single Sign-On providers, which unlocks the ability to sign in using a username and password, or the identity provider.
Websites and services have a strong incentive to support identity providers according to Sudhodanan, as “it improves the experience for users”. Users may re-use accounts that they have created in the past across multiple services; this makes the account creation process easier, faster and may eliminate the need to set up account passwords. Previous research has shown that Single Sign-On providers become high value targets for attacks.
Research focused on security implications for existing accounts and less on the account creation process itself up to this point.
Account Pre-Hijacking Attacks
In his research, Sudhodanan demonstrates that an entire class of account pre-hijacking attacks exists. All have in common that the attacker is performing actions at a target service before the victim does. None of the five different attack types that Sudhodanan describes in the research paper require access to a victim’s Identity Provider account.
Attackers need to target services that victims will likely sign-up for in the future. Additional information, for instance about existing accounts or interests, may help with the selection of targets, but attackers may also pick targets by popularity, trends or even press releases if organizations are the target.
The goal of account pre-hijacking attacks is the same as that of classic account hijacking attacks: to gain access to the victim’s account.
Depending on the nature of the target service, a successful attack could allow the attacker to read/modify sensitive information associated with the account (e.g., messages, billing statements, usage history, etc.) or perform actions using he victim’s identity (e.g., send spoofed messages, make purchases using saved payment methods, etc.)
An attack consists of three phases:
- Pre-hijack — The attacker uses the email addresses of victims to create accounts at target services. Knowledge of the email address is required to carry out the attack.
- Victim action — The victim needs to create an account at the target or recover the account that exists already.
- Account takeover attack — The attacker attempts to take over the user account at the target service using different attack forms.
Classic-Federated Merge Attack
The attack exploits interaction weaknesses between classic accounts and federated accounts at a single provider. The attacker may use a victim’s email address to create an account at the provider; the victim may create an account using the federated provider instead using the same email address. Depending on how the service merges the two accounts, it could result in both parties having access to the same account.
For the attack to be carried out successfully, it is required that the target service supports classic and federated accounts. Additionally, email addresses should be used as the unique account identifier and the merging of both account types needs to be supported.
Once the victim creates the account using the federated provider, the target service may merge the accounts. Depending on how that is done, it may give the attacker access to the target service using the specified password.
Unexpired Session Attack
This attack exploits that some services do not sign-out users of their accounts if a password is reset. A victim may reset an account password at a service if the service informs the victim that an account exists already.
The attack works if the service supports multiple concurrent sessions and if users are not signed-out of accounts if passwords are reset. The attacker needs to stay signed-in to the account to keep the session active.
Trojan Identifier Attack
The attacker creates an account at the target service using the victim’s email address and any password. Once done, a second identifier is added to the account, e.g., another email address that the attacker controls.
When the victim resets the passwords, the attacker may use the secondary identifier to regain access to the account.
Unexpired Email Change Attack
The attack exploits a vulnerability in the email changing process of target services. The attacker creates an account using the victim’s email address and any password in the beginning. Afterwards, the attacker begins the process of changing the account’s email address; this leads to a confirmation email being sent to the new email address.
Instead of clicking on the provided link right away, the attacker waits for the victim to reset the account password of the account and to recover the account. The attacker will then activate the link to take control of the victim’s account.
The attack works only if the target service is not invalidating links after a set period.
Non-verifying IdP Attack
The attack mirrors the Classic-Federated Merge Attack. The attacker creates an account at a target service using an Identity Provider that “does not verify ownership of an email address when creating a federated identity”.
The victim would have to create a classic account at the target service. If the service combines the two, the attacker may be able to access the account.
Sudhodanan examined 75 sites of the Alexa top 150 sites to find out if these are vulnerable to one or multiple of the described attacks. He found 252 potential vulnerabilities and 56 confirmed vulnerabilities during the analysis. Dropbox, Instagram, LinkedIn, WordPress.com and Zoom were found to be vulnerable to one of the described attacks.
The research paper is accessible here.
Now You: what do you do with account creation emails for accounts that you did not initiate?