Account hijacking has sadly become a regular, everyday occurrence. But when it comes to hijacking accounts before they are even created? That’s something you’d never think possible—but it is.

Two security researchers, Avinash Sudhodanan and Andrew Paverd, call this new class of attack a “pre-hijacking attack.” Unfortunately, many websites and online services, including high-traffic ones, are not immune to it. In fact, the researchers found that more than 35 of the 75 most popular websites are vulnerable to at least one pre-hijacking attack.

Sudhodanan and Paverd identified five types:

Classic-Federated Merge (CFM)

This exploits a flaw in how two account creation routes interact. Two accounts can be created using the same email address—one normal account by the user (deemed the “the classic route”) and one federated identity by the hijacker (deemed the “federated route”)—allowing both to access the account.

This attack is most successful when the user uses a single sign-on (SSO) to log in, so they never change the actual account password the hijacker sets.

Non-Verifying Identity Provider (NV)

This is a mirror image of the CFM attack. Using the same email address, the hijacker creates an account using the classic route while the user takes the federated route. The hijacker then uses an identity provider (IdP) that doesn’t verify ownership of an email address. If the website or online service incorrectly merges the two accounts based on the email address, both hijacker and user will have access to the account.

Unexpired Email Change (UEC)

This exploits a flaw where the website or online service fails to invalidate an email change request when the user resets their password.

The hijacker creates an account with the victim’s email address and then submits a change request to replace the email for their own but doesn’t confirm it. When the victim does a password reset, the hijacker then validates control, allowing them to assume control of the account.

Unexpired Session (US)

This exploits a flaw in which authenticated users are not signed out of an active account after a password reset.

The hijacker keeps the account active using an automated script after creating an account. Even after the user creates an account using the same email address and resets the password, the hijacker maintains access to the account.

Trojan Identifier (TID)

This is a combination of CFM and US attacks.

Issues in common

These attacks vary in severity, but they were all caused by the websites’ inability to verify an identifier the user supplies before allowing the account to be used.

Many websites and online services do verify, but, as the researchers noted, they do so asynchronously, which improves website usability but unfortunately opens the door to pre-hijacking attempts.

From the report:

“As with account hijacking, the attacker’s goal in account pre-hijacking is to gain access to the victim’s account. The attacker may also care about the stealthiness of the attack, if the goal is to remain undetected by the victim.

The impact of account pre-hijacking attacks is the same as that of account hijacking. Depending on the nature of the target service, a successful attack could allow the attacker to read/modify sensitive information associated with the account (e.g., messages, billing statements, usage history, etc.) or perform actions using the victim’s identity (e.g., send spoofed messages, make purchases using saved payment methods, etc.).”

How account pre-hijacking works

Attackers attempting to pre-hijack must already know some unique identifiers related to the target whose account they want to take over. These identifiers could be an email address, phone number, or other information that can be retrieved via scraping social media accounts or leaked data.

From here, attackers can then use any of the five attack types. Regardless, everything boils down to the hijacker and the user having concurrent access to the same account.

In their case studies, the researchers mentioned a handful of known online brands vulnerable to pre-hijacking attacks. These include Dropbox, Instagram, LinkedIn, WordPress, and Zoom.

Pre-hijacking attacks are preventable

Although the root cause of pre-hijacking attacks stems from weaknesses on the side of the websites and online services, protecting against them is never one-sided.

The researchers advise website and service owners to do the following:

  • Require verification of an email address used in registration to be completed before allowing any features of the website or service to be used. A similar approach must be adopted when using other verification means, such as SMS or automated phone calls.
  • If the website or online service uses an IdP, ensure the IdP performs the verification process or conducts additional verification steps.
  • When a user requests a password reset, the website or service should sign out all active sessions and invalidate all authentication tokens.
  • Set the validity period of change confirmation emails as low as possible. Doing this doesn’t remove the risk of an attack altogether, but it minimizes it.
  • Delete unverified accounts regularly.

Microsoft has listed some in-depth steps on its website for further mitigation.

Users can also protect themselves from pre-hijacking attacks using multi-factor authentication (MFA) if the website or online service supports this feature.

Stay informed and stay safe!