Hackers can pre-hack your online accounts before you've even registered

(Image credit: Shutterstock)

Thanks to a few features that weren’t well thought-through, cybercriminals can break into online accounts on some of the internet’s biggest platforms, without ever knowing the passwords. All they need to know, according to researchers investigating the matter, is the victim’s email address, and that is hardly a problem these days.

Cybersecurity researchers from the Microsoft Security Response Center, together with independent researcher Avinash Sudhodanan, found a way to break into online accounts, basically by being the first there.

There are a couple of methods to successfully conduct the attack, but here’s the gist of it - in layman’s terms: If the attacker knows the victim’s email address, and knows they don’t have an account registered on a service, they can create the account for them - using their email address (and hoping the victim dismisses the email notification as spam).

Single sign-on

For services that require user confirmation via email, there’s a catch - attackers can create an account with a different email address, and then switch to the victim’s address later on.

Here’s where the service’s features come in - some allow account merging. If the service sees that the victim is trying to register an account with an email that’s already registered, it may offer a single sign-on feature, without ever prompting the victim for the password. The victim logs in, the attacker stays logged in. The passwords are never changed.

In some instances, the attacker can also create an automated script to keep the session active for as long as needed.

> VoIP business phone system hack hits over a thousand businesses

> Phishing just got personal – avoiding the social media trap

> Behind the hack: How tech journalists were voluntarily hacked (in the name of research)

While the researchers already disclosed their findings with some of the biggest sites, most of which plugged the hole already, the researchers are warning that many more probably have this loophole, and whether or not they’ll fix it any time soon is a very big “maybe”.

More details on how the attacks work, and what users can do to spot, and mitigate the threat, can be found in the “Pre-hijacking Attacks on Web User Accounts” paper, published by Microsoft’s Security Response team, earlier this week.

As usual, users are advised to set up security keys and other forms of multi-factor authentication wherever possible.

Safeguard your devices with the best firewalls right now

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.