MoinQ:

1. account_pre-hijacking

アカウント登録・ログインに(二つ以上の方法が使える場合に)は危ないことがある。

https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/

Pre-hijacking Attacksのメモ書き https://gist.github.com/azu/faa7909d32c0ed1ab4fced3ad4ab74d8

https://arxiv.org/abs/2205.10174?context=cs

メイルアドレスをidとして使うサービス(の危険性)

「到達性のないメールアドレス」をIDとして登録できるサービスがあるらしい。

-- ToshinoriMaeno 2022-06-10 00:09:26

フィッシング/Spotify不正ログイン通知が話題に上がっている。-- ToshinoriMaeno 2022-06-26 14:32:13


Gigazine 記事 (日本語版が先に出たとのこと) 2022年06月01日

https://gigazine.net/gsc_news/en/20220601-account-pre-hijacking/

1.1. research

Avinash Sudhodanan in collaboration with Andrew Paverd

New Research Paper: Pre-hijacking Attacks on Web User Accounts

https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/

identity theftの手口のいくつか Microsoft Security Response Center /microsoft

if the attacker can create an account at a target service using the victim’s email address before the victim creates an account, 
the attacker could then use various techniques to put the account into a pre-hijacked state. 

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

https://arxiv.org/abs/2205.10174

https://arxiv.org/pdf/2205.10174.pdf 2205.10174.pdf

4 Account Pre-Hijacking Attacks /4

For all these attacks, the attacker needs to identify services at which 
the victim does not yet have an account but is likely to create one in future. 

Root Cause and Mitigation

Fundamentally, the root cause of account pre-hijacking vulnerabilities is that 
the service fails to verify that the user actually owns the supplied identifier 
(e.g. email address or phone number) before allowing use of the account. 

Although many services require identifier verification, 
they often do so asynchronously, 
allowing the user (or attacker) to use certain features of the account
before the identifier has been verified. 
Whilst this might improve usability, 
it creates a window of vulnerability for pre-hijacking attacks.

1.2. 紹介記事

https://www.helpnetsecurity.com/2022/05/24/account-pre-hijacking/

https://www.theregister.com/2022/05/25/web_pre_hijacking/

Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds Ben Dickson 30 May 2022 at 15:30 UTC

https://portswigger.net/daily-swig/dozens-of-high-traffic-websites-vulnerable-to-account-pre-hijacking-study-finds


CategoryDns CategoryWatch CategoryTemplate

MoinQ: なりすまし/account_pre-hijacking (last edited 2022-08-26 07:47:28 by ToshinoriMaeno)