The MRSC’s (Microsoft Security Response Center) Identity Project Research Grants started in 2020 to support external researchers and strengthen protocol and system security. One of the two grants provided to Avinash Sudhodanan has borne fruit, and Microsoft has revealed a new class of a cyberattack, Account Pre-Hijacking.
Account hijacking involves malicious actors gaining access to an innocent user’s account. However, suppose the malicious actor already has access to the victim’s email. In that case, they can create an online account using that address before the victim and put it into a pre-hijacked state, allowing them to regain access to accounts even if a victim recovers it.
Account Pre-Hijacking Rise: Challenges to Account Creation
Today, many websites and online services require people to create an account, and account hijacking is already a significant threat that can help threat actors steal personal information and card details and carry out other malicious activities using the hijacked account.
There are plenty of protocols in place to protect accounts from hijacking. However, there is not much when it comes to account creation. The legacy method of using a username or password or the federated identity by using an IdP (Identity Provider) allowing various services to link with the IdP for easy authentication and logins is not protected from all ends.
If a threat actor gains access to your IdP account, they can misuse it to create additional accounts on various websites and services. This method has expanded and given rise to a wide array of new cyberattacks via account pre-hijacking, even without the need to compromise the IdP account.
Popular Account Pre-Hijacking Attacks
To create an account on a target website or service, naturally, the malicious actor has to perform some action. Additionally, the victim of an account pre-hijacking attack is unaware of the malicious activity and might regain access to their account easily, adding additional information, payment details, private information, and communication, which can be exploited and misused by cybercriminals for data and identity theft and to rob the victim of finances.
Account pre-hijacking attacks have been characterized in the paper into five distinct categories, which are:
- Classic-Federated Merge Attack: In such an attack, the cybercriminal exploits potential weaknesses in the federated and classic account creation routes. Cybercriminals employ the traditional way to create a new account using the victim’s email and make another one using the federated approach as well. If any online service merges the two, both the cybercriminal and the victim will be able to access the account simultaneously.
- Non-Verifying IdP Attack: The non-verifying IdP attack mirrors the classic federated merge attack. The cybercriminal leverages a non-verifying IdP to create an account on a website or service. When the victim creates an account on the same website or service using the classic route, there are significant changes in the service combining these two incorrectly, allowing the cybercriminal to access the victim’s account.
- Unexpired Session Identifier Attack: In such an attack, the cybercriminal exploits authentication vulnerabilities, allowing them to gain access to the account when the victim is logged in to the account and initiates a password reset request which does not sign them out. The cybercriminal creates an account and carries out a long active session on the service. Whenever the victim tries to recover their account, the cybercriminals might have access to it if the reset did not invalidate their long active session.
- Trojan Identifier Attack: Trojan Identifier is another account pre-hijacking attack, one where the cybercriminal links an additional identifier to the username and password while creating an account using the victim’s email. The identifier might be the cybercriminal’s federated identity or another controlled email or phone and is known as a Trojan identifier. Whenever the innocent user resets the password, the cybercriminal can use this Trojan identifier to gain the account access back, resulting in a successful account pre-hijacking attack.
- Unexpired Email Change Attack: In such an attack, cybercriminals exploit the online service when it invalidates the URLs (Uniform Resource Locator) for changing the email when a user tries to reset their account’s password. The cybercriminal uses the user’s email to create an account and then updates the email to their own. Since all websites and services send URLs to the updated email, i.e., the cybercriminal’s own email, the cybercriminal can choose to confirm the password reset and regain access to the user’s account whenever they wish.
A particular thing to note in all the above account pre-hijacking attacks is that the malicious actor has to create an account using the victim’s email.
Threats that Account Pre-Hijacking Poses
Threat actors can employ account pre-hijacking for a wide array of malicious activities, including:
- Cybercriminals with knowledge of the victim’s service can utilize account pre-hijacking on similar services.
- Cybercriminals with knowledge of an organization opting for a specific service could pre-hijack various organizational accounts.
- Cybercriminals could use the popularity of new or in-demand services and pre-hijack accounts.
All a cybercriminal needs is an email address, which is available publically via social media and can also be obtained by website scraping and credential dumps to carry out such activities.
How to Protect Against Account Pre-Hijacking Attacks?
There is a lot that you can do to protect against account pre-hijacking attacks, such as:
- Adequate password reset mechanisms: An accurate password reset mechanism should:
- Sign out of other sessions and devices, and invalidate other authenticated tokens to protect against unexpired session attacks.
- Cancel pending email modification or change actions to protect against unexpired email change attacks.
- Notify the owner of all emails, phone numbers, and federated identities linked to the account and allow their management.
- Secure Merging: When merging classic and federate accounts, email services should ensure that a single user controls both so there is no chance of classic-federated merge and non-verifying IdP attacks.
- Email change confirmations: In case a change of an email is requested, the validity period should be low to reduce the chances of unexpired email change attacks. Furthermore, to prevent cybercriminals from requesting them repeatedly, the service should cap the number of requests to change the email.
- MFA: Multi-Factor Authentication can help individuals protect against pre-hijacking attacks to prevent cybercriminals and threat actors from penetrating or using a user’s account.
- Selective Account Pruning: Removal of unverified accounts can significantly reduce pre-hijacking attacks. Additionally, websites and online services should limit the creation of new accounts using the same unverified identifier. Services should also use automated bot detection to restrict the rate at which threat actors can create new accounts automatically.
The latest research by MRSC has helped bring pre-hijacking into the light and provided a case that there are still simple vulnerabilities that can cause massive harm. With the new results and the above mitigation techniques, service providers and individuals can protect themselves from account pre-hijacking attacks and keep their accounts secure.