Thanks to a few features that weren’t well thought-through, cybercriminals can break into online accounts on some of the internet’s biggest platforms, without ever knowing the passwords. All they need to know, according to researchers investigating the matter, is the victim’s email address, and that is hardly a problem these days.
Cybersecurity researchers from the Microsoft Security Response Center, together with independent researcher Avinash Sudhodanan, found a way to break into online accounts, basically by being the first there.
There are a couple of methods to successfully conduct the attack, but here’s the gist of it - in layman’s terms: If the attacker knows the victim’s email address, and knows they don’t have an account registered on a service, they can create the account for them - using their email address (and hoping the victim dismisses the email notification as spam).
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
For services that require user confirmation via email, there’s a catch - attackers can create an account with a different email address, and then switch to the victim’s address later on.
Here’s where the service’s features come in - some allow account merging. If the service sees that the victim is trying to register an account with an email that’s already registered, it may offer a single sign-on feature, without ever prompting the victim for the password. The victim logs in, the attacker stays logged in. The passwords are never changed.
In some instances, the attacker can also create an automated script to keep the session active for as long as needed.
While the researchers already disclosed their findings with some of the biggest sites, most of which plugged the hole already, the researchers are warning that many more probably have this loophole, and whether or not they’ll fix it any time soon is a very big “maybe”.
More details on how the attacks work, and what users can do to spot, and mitigate the threat, can be found in the “Pre-hijacking Attacks on Web User Accounts” paper, published by Microsoft’s Security Response team, earlier this week.
As usual, users are advised to set up security keys and other forms of multi-factor authentication wherever possible.