Microsoft Security Response Center

https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/

1. Challenges in User Account Creation

User accounts are a ubiquitous feature of websites and other online services, and have therefore become a valuable target for attackers. Account hijacking is a well-known threat in which the attacker attempts to gain unauthorized access to the victim’s user account.

Organizations rightly invest significant resources to defend against account hijacking.

However, one aspect that has received less attention is the process of user account creation, and the corresponding security implications.

With the move towards federated identity and Single Sign-On (SSO), many services now support (at least) two different routes for users to create accounts: the classic route of providing a username and password and the federated route using an Identity Provider (IdP) e.g. Sign in with Microsoft.

Once the account has been created, some services also offer the possibility to link an IdP account, so that the user can either sign in directly or authenticate via the IdP.

Previous academic research has discussed a “preemptive account hijacking attack“, where an attacker gains control of a victim’s IdP account and uses it to create user accounts at services for which the victim has not yet signed up.

Inspired by this attack, we demonstrate that there exists an entire class of such attacks,
which we call account pre-hijacking attacks. 
In contrast to prior work, none of our attacks require the attacker 
to compromise the victim’s IdP account.

2. Account Pre-Hijacking Attacks

The distinguishing feature of an account pre-hijacking attack is that the attacker performs some action before the victim creates an account at the target service.

The unsuspecting victim might subsequently regain access to this account and start using it, potentially adding personal information, payment details, or any other type of private information.

After some time, the attacker completes the attack by gaining access to the victim’s account – essentially achieving the same objective as an account hijacking attack.


CategoryDns CategoryWatch CategoryTemplate

MoinQ: なりすまし/account_pre-hijacking/microsoft (last edited 2022-05-30 22:49:35 by ToshinoriMaeno)