Through a threat dubbed pre-hijacking attacks, internet users risk losing their sensitive data from being stolen even before they sign up or register from several platforms online. This report came from security experts’ analysis, involving threat actors exploiting already patched vulnerabilities from mainstream sites like LinkedIn, WordPress, Instagram, Zoom, and Dropbox.
The experts’ analysis included the assessment of 75 widely used online services, revealing about 35 of them are vulnerable to the threats of pre-hijacking attacks. They explained that while these attacks have variations in types and severities, they are all caused by poor security measures implemented by the platform administrators.
Pre-hijacking attacks have an extensive execution procedure, leading to the prevalent issues of stolen user data worldwide.
Initially, the campaign operators gather the victims’ email addresses, which they can easily collect from numerous underground marketplaces that sell compromised data from breaches.
Once the hackers have the list of their targets’ email addresses, they use them to create an account on a vulnerable website which would most likely send an email alert to the victim’s inbox. Usually, users tend to ignore these, especially if they are aware of not signing up from any site and consider it spam.
However, if eventually, the user signs up on that vulnerable site, the hacker could now implement five different attacks to compromise the victim’s data. First is the classic-federated merge (CFM), in which the vulnerable site uses account merging when the victim creates their account through an existing email address. The CFM attack relies on providing an SSO (single-sign-on) option to the victim, prohibiting them from changing the hacker’s pre-set password.
The second attack tactic is the unexpired session (US) ID, wherein the threat operators keep a login session active after they create an account from the victims’ email address via an automated script. Through this tactic, the victim may reset their user passwords, but the active session from the hackers’ device will not be invalidated, allowing them to keep access to the victims’ account.
Meanwhile, the third tactic, the trojan identifier (TID), combines the first two attack tactics – connecting both procedures to attain access to the victims’ account via an active session from their machine.
The fourth one is the unexpired email change (UEC) which involves the threat operators creating an account with the victims’ email addresses and then submitting an email change request without confirming it. The victim would eventually request a password reset, which the hacker allows until they gain control of the victim’s user account.
Lastly, the threat operators perform the non-verifying Identity provider attack (NV), wherein they abuse an IdP’s lack of verified ownership upon creating a user account. This tactic allows them to utilise cloud-based login services, including OneLogin and Okta.
Email verification allows users to protect themselves in registering an account on any site platform since it is a way of verifying their identity. For successful pre-hijacking attacks, the threat operators can easily evade email verification steps through some of their maliciously elaborated ways.
The security researchers who conducted the study immediately reported the discovered flaws on all affected online platforms, to which the administrators responded promptly. Nonetheless, these findings remain crucial for both platform owners and users since it highlights the lack of effective security measures to safeguard a user account completely.
As usual advice, users are recommended to apply multi-factor authentication (MFA) upon creating new user accounts on all online platforms. This step would effectively force all active sessions to stop and be invalidated.