Dozens of high-traffic websites are subject to prior account acquisition. Dropbox, WordPress, Instagram, LinkedIn and Zoom have been affected and have made corrections

According to new research supported by the Microsoft Security Response Center (MSRC), malicious actors can take over online accounts without permission before their victims sign up for services. The attack category, called pre-account takeover, involves an attacker launching an exploit to take over an account before the victim signs up for an online service. Once the victim is logged in, the attacker takes advantage of vulnerabilities in the service’s authentication mechanisms to gain access to or appropriate the newly created account.

The study found that dozens of high-traffic services were vulnerable to at least one type of pre-hack attack. The research highlights security issues related to account creation, an issue that is rarely examined.

To explain the motivations behind their research, the study authors point out:

The proliferation of user accounts on websites and online services makes account takeover a serious security problem. Although previous research has investigated various techniques that allow an attacker to gain access to a victim’s account, little attention has been paid to the account creation process. The current trend towards federated authentication (eg, single sign-on) adds an extra layer of complexity because many services now support both the classic approach where the user sets a password directly and the fdre approach in which the user authenticates through the identity provider.

Inspired by previous work on preemptive account takeover, we show that there is a whole class of account takeover attacks. The peculiarity of these attacks is that the attacker does something before the victim creates an account, making it simple to access it once the victim creates/recovers the account. Assuming a real-world attacker knows only the victim’s email address, we identify and discuss five different types of pre-account takeover attacks.

To determine the prevalence of these vulnerabilities in the wild, we analyzed 75 popular services and found that at least 35 of them were vulnerable to one or more attacks prior to the account hijacking. While some of them may be noticed by vigilant users, others are completely undetectable from the victim’s point of view. Finally, we investigated the root cause of these vulnerabilities and introduced a set of security requirements to prevent such vulnerabilities from happening again in the future.

The attacker’s goal is to gain control (i.e. hijack) the victim’s user account over the targeted service. Depending on the nature of the service, this may allow the attacker to access confidential information of the victim (such as messages, documents, billing data, etc.) or impersonate the victim (such as sending messages, subscription services, etc.).

The effect of pre-account takeover attacks is the same as the effect of account takeover. Depending on the nature of the targeted service, a successful attack may allow an attacker to read/modify sensitive information associated with the account (such as messages, billing data, usage history, etc.) or perform actions using the victim’s identity (for example, sending fake messages, performing operations Purchase using registered payment methods, etc.).

Several ways to hack an account already

The research was supported by one of the Identity Project research grants awarded by FRSC in early 2020.

In this project, we explored many topics, but quickly noticed an emerging pattern around the “before hack” threat model, said Andrew Paverd, MSRC Senior Researcher and independent researcher Avinash Sudodanan.

Pre-account hijacking assumes that the victim does not yet have an account on the target service and that the attacker knows the email and other basic information about the victim. The researchers discovered five types of pre-hack attack scenarios.

Some take advantage of the multiple account creation modes that many online services support. On many websites, users can provide an email address and password directly to create their account or use Unified Authentication using a consumer-focused Single Sign-On (SSO) service, as provided by Facebook, Google, and Microsoft.

For example, in one type of attack, the attacker creates an account with the victim’s email address. The victim then creates an account using the fedre method. On some services, this merges the accounts of the attacker and the victim, giving them simultaneous access to the same account.

In another type of attack, the attacker creates an email account for the victim and associates his or her unified identity with the account itself. When the victim tries to create their account, they will be asked to reset their password. The victim will gain access to the account, but the attacker can also gain access to the account via a single sign-on (SSO) identity.

The researchers said: It is very positive to see how many online services are moving towards single sign-on [mais] This means that they may need to support multiple login mechanisms. This is not necessarily a problem in and of itself, and many services do it safely. The researchers said that our research simply points out some subtle pitfalls to consider when supporting multiple login mechanisms.

Pavard and Sudodanan noted that three of the attacks they found did not require the service to support multiple login mechanisms.

For example, in a scheme, the attacker’s session can remain active even after the victim restores his account and resets the password.

In another scenario, the attacker creates an account with the victim’s email address and initiates the email change request against the attacker’s email address. The attacker then waits for the victim to claim the account before completing the email change request and taking ownership of the account.

High Traffic Concerned Services

In their study, researchers looked at 75 services ranked in Alexa’s list of the top 150 traffic domains. At least 35 people were affected by one or more of the pre-hacking attacks, including Dropbox, Instagram, LinkedIn, and Zoom. Fortunately, all affected departments were made aware of the vulnerabilities and carried out the necessary fixes.

drop box

We found that the Dropbox website was vulnerable to a variety of unending changes in the email address attack: An attacker could create an account using the victim’s email address. Dropbox then sent an email to the victim, asking them to confirm their email address. However, since the Dropbox account has not been created, the victim can ignore this email as it does not give any instructions on what to do if they did not create the account. The attacker will then initiate the process of changing their email address by passing in the attacker’s email address, and Dropbox will send a confirmation email to the attacker’s email address. This email contains the email change confirmation URL, but the attacker will not use it yet.

When the victim tried to create an account with their email address, it failed because the email was already associated with an account and Dropbox instead asked the victim to log into that account. The victim could then use email account recovery and set a new password, which resulted in the attacker losing access to the account. As shown in the figure below, alert victims may notice the pending email change notification in the user interface (UI) and cancel it. However, some victims may not even notice this.

After some time, the attacker can make the victim visit the URL to confirm the email change (for example, via a CSRF attack), which will associate the attacker’s email address with the account. The victim will then see the user interface shown above. The attacker can then use the password reset function via email to gain access to the account.

Since Dropbox is a cloud-based file storage service and identity provider, a successful attack could allow an attacker to access the victim’s private files and connect to other services where the victim is using Dropbox such as IdP. However, noticing victims may notice that the attacker’s email address is also displayed in their account (waiting for confirmation) and may take steps to remove it, which could prevent the attack. Additionally, the authors were unable to test the validity period of the confirmation URL (and the confirmation email did not indicate the validity period). The validity period of this URL will also limit the potential attack window. The authors responsibly disclosed their findings to Dropbox via HackerOne in June 2021.

During their experiments, they also discovered a session debug attack against Dropbox, which allows an attacker to directly log into an existing Dropbox account by changing the session ID.

They also provided more details about their findings on other high-traffic sites such as Zoom, LinkedIn, Instagram and WordPress.

We believe a lack of awareness may be the main reason for these potential vulnerabilities. Therefore, we are publishing this research to raise awareness and help organizations mitigate these vulnerabilities,” Paverd and Sudodanan said.

The most important thing to do, the researchers said, is to verify that the user has all the credentials provided by the user (for example, an email address or phone number) before using them to create a new account or add them to an existing account. This would mitigate all types of pre-hijacking attacks that have been identified so far.

The researchers’ paper also identifies several other possible strategies for in-depth defense.

They recommended that users enable multi-factor authentication (MFA) whenever possible, as it stops most pre-hacking attacks that they discover.

Another sign of prior account acquisition is receiving an email about an account you didn’t create, which users usually ignore. The researchers advised to inform the affected site.

Source: Previously Hacked Accounts: A Pilot Study of Vulnerabilities in Creating User Accounts on the Web

And you?

Have you ever heard of this attack vector? What do you think?
In general, do you read emails announcing account creation on sites where you haven’t created an account?
What do you recommend to mitigate this type of attack?

Leave a Comment