As security researchers have found out, hackers can hack into an account even before a user registers it. To do this, it is enough to exploit vulnerabilities on such popular sites as Instagram, LinkedIn, Zoom, WordPress and Dropbox.
Microsoft Security Response Center specialist Andrew Paverd and independent security researcher Avinash Sudhodanan studied 75 popular online services and found vulnerabilities on at least 35 of them that allow hacking accounts even before their registration.
“The consequences of pre-hacking an account are the same as the consequences of the hacking itself. Depending on the attacked device, a successful attack may allow an attacker to read/modify sensitive information associated with the account (messages, account statements, usage history, etc.) and perform actions on behalf of the user (send messages, make purchases using saved payment methods, etc.),” Sudhodanan said.
For a preliminary hacking, the attacker must know the victim’s email address, which is quite easy to get nowadays. Then, using this address, the attacker creates an account on the vulnerable site and hopes that the victim will miss the notification about this in his email, mistaking it for spam. Then he waits for the victim to decide to register on this site or deceives her to do it.
There are five different attacks that an attacker can carry out in this case: account merging (classic-federated merge, CFM), expired session (unexpected session, US), Trojan identifier (trojan identifier, TID), change of expired email address (unexpected email change, UEC) and lack of identity provider verification (non-verifying Identity provider (IdP), NV).
In the case of CFM, when a victim creates an account with an already registered email address, the vulnerable site simply combines these two accounts and in some cases does not even report it. The attack is based on providing the victim with the possibility of authorization via single-sign-on (SSO) so that she does not change the password set by the hacker.
In the case of an expired session, after creating an account, the attacker keeps the session active using an automated script. When the victim registers an account and resets the password, the active session is not reset, and the hacker retains access to the account.
The method using the Trojan identifier is a combination of the first and second methods.
“The attacker registers an account to the victim’s email, but then links it to his IdP account for federated authentication. When the victim resets the password (as in the case of an expired session), the attacker still has access to the account through federated authentication,” the researchers explained.
The UEC attack involves registering an account to the victim’s email address, after which the attacker sends a request to change the email address, but does not confirm it. After the victim resets the password, the attacker confirms the change and gets access to the account.
In the NV attack, the attacker takes advantage of the absence of IdP owner verification during the account registration process. Thanks to this, he can use cloud authorization services like Okta or Onelogin.