A security research duo has revealed that around half of the world’s most popular websites are vulnerable to a new kind of cyberattack called account pre-hijacking.
A move away from asynchronous verification processes is the suggested remedy for service providers, whereas users have been urged to implement two-factor authentication where they can.
However, multi-factor authentication must be combined with a password manager if you want maximum protection from all the different types of identity theft out there.
What is Account Pre-Hijacking?
“Pre-Hijacking” is the catch-all term used for a contemporary class of cyberattacks that involve subsuming control of a victim’s account on a given website, which became the focus of a paper authored by security researchers Avinash Sudhodanan and Andrew Paverd.
“The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account,” Paverd explains in a blog post on the same issues.
In this way, it departs from existing modes of attacks like brute-forcing or password spraying, which focus on obtaining passwords and other account credentials tied to existing accounts via various trial-and-error methods.
Unsecured Systems Are Exploitable
Pre-hijacking attacks have been given space to flourish, the research suggests, due to gaps between the two eminent avenues of account creation most popular websites now provide – “classic” account creation (entering a username or password) or an SSO sign-on (i.e. “Sign in with Microsoft/Google/Facebook”).
The researchers pointed out that services often attempt to verify you “asynchronously” and that aspects of accounts are accessible prior to verification.
There are various ways to exploit the vulnerabilities the prevailing mode of account creation inadvertently creates – researchers have identified at least five.
A “Classic-Federated Merge Attack,” for example, involves the threat actor making an account via the “classic” avenue, and counting on the unsuspecting victim later making an account through the “federated” route with an identical email address. If the service in question consolidates these accounts in a non-secure manner, it could give easily give the attacker access.
Another involves creating an account with the target’s email address, which will subsequently be changed to the attacker’s email address. The service in question will then ping a verification link to that email address rather than the victim’s, but the threat actor waits until the victim has started to use the account to confirm that the email has been changed.
Research Paints Grim Picture for Popular Sites
The concerning thing about the study is the percentage of popular sites that are vulnerable to this sort of attack. 75 out of the top 150 most popular websites on the web were tested, and 35 appeared exploitable through the pre-hijacking route.
The researchers suggested that, considering the volume of sites in this sample that were vulnerable, it’s highly likely a slew of other sites are too.
Attack Mitigation – What Can You Do?
The researchers suggest that mitigation rests in deploying multi-factor authentication methods – but with the caveat that account sessions started prior to multi-factor authentication being implemented will have to be auto-signed out.
A mass move away from asynchronous verification would also go a long way to solving this problem.
However, multi-factor authentication should be paired with a password manager – with these two security provisions in place, you’re making it much more difficult for threat actors attempting to orchestrate any kind of credential theft attack.