## page was renamed from なりすまし/account_pre-hijacking ## page was copied from DnsTemplate ##master-page:HelpTemplate <> <> Avinash Sudhodanan in collaboration with Andrew Paverd https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/ Learn How Hackers Can Hijack Your Online Accounts Even Before You Create Them May 25, 2022Ravie Lakshmanan https://thehackernews.com/2022/05/learn-how-hackers-can-hijack-your.html The attack takes aim at the account creation process that's ubiquitous in websites and other online platforms, enabling an adversary to perform a set of actions before an unsuspecting victim creates an account in a target service. Pre-hijacking banks on the prerequisite that an attacker is already in possession of a unique identifier associated with a victim, such as an email address or phone number, which can be obtained either from the target's social media accounts or credential dumps circulating on the web. [[/5種の攻撃]] {{{ "After the victim has recovered access and started using the account, the attacker could regain access and take over the account. " The five types of pre-hijacking attacks are below - Classic-Federated Merge Attack, in which two accounts created using classic and federated identity routes with the same email address allow the victim and the attacker to access to the same account. Unexpired Session Identifier Attack, in which the attacker creates an account using the victim's email address and maintains a long-running active session. When the user recovers the account using the same email address, the attacker continues to maintain access because the password reset did not terminate the attacker's session. Trojan Identifier Attack, in which the attacker creates an account using the victim's email address and then adds a trojan identifier, say, a secondary email address or a phone number under their control. Thus when the actual user recovers access following a password reset, the attacker can use the trojan identifier to regain access to the account. Unexpired Email Change Attack, in which the attacker creates an account using the victim's email address and proceeds to change the email address to one under their control. When the service sends a verification URL to the new email address, the attacker waits for the victim to recover and start using the account before completing the change-of-email process to seize control of the account. Non-Verifying Identity Provider (IdP) Attack, in which the attacker creates an account with the target service using a non-verifying IdP. If the victim creates an account using the classic registration method with the same email address, it enables the attacker to gain access to the account. }}} == history == {{{ In an empirical evaluation of 75 of the most popular websites from Alexa, 56 pre-hijacking vulnerabilities were identified on 35 services. This includes 13 Classic-Federated Merge, 19 Unexpired Session Identifier, 12 Trojan Identifier, 11 Unexpired Email Change, and one Non-Verifying IdP attacks - }}} ---- CategoryDns CategoryWatch CategoryTemplate