New 'Pre-Hijacking' a Threat to User Accounts
Nearly half of all leading websites are vulnerable to an audacious hacking method according to a new report. The attacks involve hijacking an account before it has even been created.
The scam uses various methods, but usually involves creating an account using an email address, then waiting for the actual owner of that email address to attempt to create an account on a specific website.
Microsoft's Andrew Paverd and independent researcher Avinash Sudhodanan detailed the problems in a research paper and blog post. (Source: microsoft.com)
They say the "root cause" of the problem is that many websites let users who create an account access some features before they prove they own the email address they used to sign up. That's usually done by sending an email with a link or confirmation code.
Password Resets Vulnerable
The researchers detailed five ways attackers could take advantage of this flaw depending on the design of the site in question. While some where highly technical, others were more basic.
For example, one approach is to create an account using the email address then wait for the real person to sign up using a third-party login such as their Facebook or Google details. In some cases this will leave both the scammer and real person able to access the account. (Source: theregister.com)
Another tactic involves taking advantage of sites that don't close all active sessions when the real user resets their password.
35 Leading Sites At Risk
The researcher say they tested the techniques on 75 of the 150 most popular websites. They found 35 were vulnerable to at least one of the methods. They say they've passed on full details to the affected sites and then waited at least seven months before going public, but fear other sites remain vulnerable.
According to the researchers, the simplest solution is that sites should stop users doing anything with an account until they have confirmed their email address or other form of identity is correct. They also say sites should consider locking users out completely during a password reset and regularly deleting any accounts that have been created but not yet verified.
What's Your Opinion?
Are you surprised by this report? Last time you created an account, were you able to do anything before confirming your email address? Are the researcher's suggested fixes realistic?
Most popular articles
- Which Processor is Better: Intel or AMD? - Explained
- How to Prevent Ransomware in 2018 - 10 Steps
- 5 Best Anti Ransomware Software Free
- How to Fix: Computer / Network Infected with Ransomware (10 Steps)
- How to Fix: Your Computer is Infected, Call This Number (Scam)
- Scammed by Informatico Experts? Here's What to Do
- Scammed by Smart PC Experts? Here's What to Do
- Scammed by Right PC Experts? Here's What to Do
- Scammed by PC / Web Network Experts? Here's What to Do
- How to Fix: Windows Update Won't Update
- Explained: Do I need a VPN? Are VPNs Safe for Online Banking?
- Explained: VPN vs Proxy; What's the Difference?
- Explained: Difference Between VPN Server and VPN (Service)
- Forgot Password? How to: Reset Any Password: Windows Vista, 7, 8, 10
- How to: Use a Firewall to Block Full Screen Ads on Android
- Explained: Absolute Best way to Limit Data on Android
- Explained: Difference Between Dark Web, Deep Net, Darknet and More
- Explained: If I Reset Windows 10 will it Remove Malware?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 30 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
I'm not surprised
There are too many techies out there who have control of sites big and small.
They're just not paying attention to how easy it is for someone with a bit of knowledge to hack a site.
Go to where the users are
Remember Willie Sutton? "I rob banks because that's where the money is."
About time someone thought of crashing websites - it's a lot faster than cracking users one at a time.
That said, how do we protect ourselves?
Dennis Faas, care to comment? I've been following you for decades now and highly respect your advice.
So far, with 2-factor turned on, I know I've been attempted on more than one site. Of course, they can't get in without knowing or accessing the 2nd factor, so I get notified, and that's it.
Beyond that, I don't know. Yet.