Hacking your online account is bad enough. But getting it hacked before it can even be created is incredibly worse.
Two security researchers have just revealed that dozens of online services weren't secure enough and allowed hackers to carry out so-called "pre-hijack" attacks. Armed with the victim's email address, they create an online account in his name.
Then, when the victim creates their original online account on this service, the hacker can control it and use it for various operations: spying, modifying content, creating fake content, fraudulent payments, etc.
All this is possible due to a series of flaws that researchers have found in the authentication and account recovery processes.
Of the 75 online services tested, 35 were at risk. Also among them are big names such as LinkedIn, Instagram, Dropbox, Zoom or Wordpress.com.
How is that?
First, the researchers found that account verification - the email you receive to verify that you're the owner of the address in question - is insufficient. Sometimes it is not implemented, and when it does, it is sometimes possible to perform the change of address later without further verification.
Then, when the victim creates their account, they will of course be warned that it already exists. But he will think that he forgot to create this account and will proceed to recovery. After that, several attack scenarios are possible.
1) Thanks to a script, the hacker was able to keep the connection session open. This session remains open even if the victim resets their password, which should not be the case. ( Unexpired Session Attack )
2) The victim creates their account through a third-party authentication service such as Google or Apple. If the platform is wrongly configured, it will merge the accounts without disabling the previously created password. Classic Federated Merge Attack
3) Conversely, an attacker can establish direct access through an authentication service that does not verify the ownership of the victim's email address. When the victim creates their account normally, this access remains valid. (Non Verifying IdP Attack
4) The attacker creates an account with the victim's email address and links another account to it through the identity union. If the victim recovers their account normally, the hacker retains access through this parallel account (Trojan Identifier Attack)
5) An attacker can start changing the email address without going through it. When the victim creates their real account, the hacker terminates this change and regains access to the account. (Unexpired Email Change Attack).
All 35 service providers at risk were alerted to these flaws and most of them implemented the patches. This is particularly the case at LinkedIn and Zoom, which were vulnerable to 1/4 and 2/3 attacks, respectively. But some believe that the risk is minimal or that it is not their responsibility.
Instagram, for example, is vulnerable to Attack #4, but it believes it has enough alerts and safeguards to avoid this scenario. At worst, this is user error.
Note that the researchers were only able to test a small set of online services. So there are definitely still other platforms at risk. As a user, one way to protect yourself from these attacks is to activate strong authentication. This prevents hackers from using parallel access.