Unsecured Systems Are Exploitable
Pre-hijacking attacks have been given space to flourish, the research suggests, due to gaps between the two eminent avenues of account creation most popular websites now provide – “classic” account creation (entering a username or password) or an SSO sign-on (i.e. “Sign in with Microsoft/Google/Facebook”).
The researchers pointed out that services often attempt to verify you “asynchronously” and that aspects of accounts are accessible prior to verification.
There are various ways to exploit the vulnerabilities the prevailing mode of account creation inadvertently creates – researchers have identified at least five.
A “Classic-Federated Merge Attack,” for example, involves the threat actor making an account via the “classic” avenue, and counting on the unsuspecting victim later making an account through the “federated” route with an identical email address. If the service in question consolidates these accounts in a non-secure manner, it could give easily give the attacker access.
Another involves creating an account with the target’s email address, which will subsequently be changed to the attacker’s email address. The service in question will then ping a verification link to that email address rather than the victim’s, but the threat actor waits until the victim has started to use the account to confirm that the email has been changed.
Research Paints Grim Picture for Popular Sites
The concerning thing about the study is the percentage of popular sites that are vulnerable to this sort of attack. 75 out of the top 150 most popular websites on the web were tested, and 35 appeared exploitable through the pre-hijacking route.
The researchers suggested that, considering the volume of sites in this sample that were vulnerable, it’s highly likely a slew of other sites are too.
Attack Mitigation – What Can You Do?
The researchers suggest that mitigation rests in deploying multi-factor authentication methods – but with the caveat that account sessions started prior to multi-factor authentication being implemented will have to be auto-signed out.
A mass move away from asynchronous verification would also go a long way to solving this problem.
However, multi-factor authentication should be paired with a password manager – with these two security provisions in place, you’re making it much more difficult for threat actors attempting to orchestrate any kind of credential theft attack.