Account pre-hijacking
Account pre-hijacking attacks are a class of security exploit related to online services. They involve anticipating a user signing up for an online service and signing up to the service in their name, and then taking over their account when they attempt to register it themselves.[1][2][3] The attack relies on confusion between accounts created by federated identity services and accounts created using e-mail addresses and passwords, and the failure of services to resolve this confusion correctly.[1]
Pre-hijacking was first identified as a class of vulnerabilities in 2022, based on research funded by Microsoft's Security Response Center.[4][5]
Out of 75 online services surveyed, 35 were found to be vulnerable to various forms of the exploit. Vulnerable services included Dropbox, Instagram, LinkedIn, WordPress and Zoom. The existence of the vulnerability was reported to all the service providers before publication of the paper.[5]
See also
References
- ↑ 1.0 1.1 Kovacs, Eduard (May 24, 2022). "Hackers Can 'Pre-Hijack' Online Accounts Before They Are Created by Users". https://www.securityweek.com/hackers-can-pre-hijack-online-accounts-they-are-created-users.
- ↑ Brinkmann, Martin (2022-05-24). "Pre-hijacking Attacks of user accounts are on the rise" (in en-US). https://www.ghacks.net/2022/05/24/pre-hijacking-attacks-of-user-accounts-are-on-the-rise/.
- ↑ Andrew Paverd (May 23, 2022). "New Research Paper: Pre-hijacking Attacks on Web User Accounts" (in en-US). https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/.
- ↑ Dickson, Ben (2022-05-30). "Dozens of high-traffic websites vulnerable to 'account pre-hijacking', study finds" (in en). https://portswigger.net/daily-swig/dozens-of-high-traffic-websites-vulnerable-to-account-pre-hijacking-study-finds.
- ↑ 5.0 5.1 Sudhodanan, Avinash; Paverd, Andrew (2022-05-20). "Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web". arXiv:2205.10174 [cs.CR].
 |  |
