Skip to main content

Hackers can pre-hack your online accounts before you've even registered

The best free password manager
(Image credit: Shutterstock)

Thanks to a few features that weren’t well thought-through, cybercriminals can break into online accounts (opens in new tab) on some of the internet’s biggest platforms, without ever knowing the passwords. All they need to know, according to researchers investigating the matter, is the victim’s email address, and that is hardly a problem these days.

Cybersecurity researchers from the Microsoft Security Response Center, together with independent researcher Avinash Sudhodanan, found a way to break into online accounts, basically by being the first there. 

There are a couple of methods to successfully conduct the attack, but here’s the gist of it - in layman’s terms: If the attacker knows the victim’s email address, and knows they don’t have an account registered on a service, they can create the account for them - using their email address (and hoping the victim dismisses the email notification as spam).

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

Single sign-on

For services that require user confirmation via email, there’s a catch - attackers can create an account with a different email address, and then switch to the victim’s address later on. 

Here’s where the service’s features come in - some allow account merging. If the service sees that the victim is trying to register an account with an email that’s already registered, it may offer a single sign-on feature, without ever prompting the victim for the password (opens in new tab). The victim logs in, the attacker stays logged in. The passwords are never changed. 

In some instances, the attacker can also create an automated script to keep the session active for as long as needed.

While the researchers already disclosed their findings with some of the biggest sites, most of which plugged the hole already, the researchers are warning that many more probably have this loophole, and whether or not they’ll fix it any time soon is a very big “maybe”.

More details on how the attacks work, and what users can do to spot, and mitigate the threat, can be found in the “Pre-hijacking Attacks on Web User Accounts (opens in new tab)” paper, published by Microsoft’s Security Response team, earlier this week.

As usual, users are advised to set up security keys (opens in new tab) and other forms of multi-factor authentication wherever possible.

Via: BleepingComputer (opens in new tab)

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.