Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web (2205.10174v1)

Abstract: The ubiquity of user accounts in websites and online services makes account hijacking a serious security concern. Although previous research has studied various techniques through which an attacker can gain access to a victim's account, relatively little attention has been directed towards the process of account creation. The current trend towards federated authentication (e.g., Single Sign-On) adds an additional layer of complexity because many services now support both the classic approach in which the user directly sets a password, and the federated approach in which the user authenticates via an identity provider. Inspired by previous work on preemptive account hijacking [Ghasemisharif et al., USENIX SEC 2018], we show that there exists a whole class of account pre-hijacking attacks. The distinctive feature of these attacks is that the attacker performs some action before the victim creates an account, which makes it trivial for the attacker to gain access after the victim has created/recovered the account. Assuming a realistic attacker who knows only the victim's email address, we identify and discuss five different types of account pre-hijacking attacks. To ascertain the prevalence of such vulnerabilities in the wild, we analyzed 75 popular services and found that at least 35 of these were vulnerable to one or more account pre-hijacking attacks. Whilst some of these may be noticed by attentive users, others were completely undetectable from the victim's perspective. Finally, we investigated the root cause of these vulnerabilities and present a set of security requirements to prevent such vulnerabilities arising in future.

• The paper identifies account pre-hijacking as a critical vulnerability exploiting weak identifier verification during online account creation.
• It empirically evaluates top-ranked websites to reveal the widespread prevalence of security failures in federated authentication systems.
• The study advocates robust mitigation strategies, including strict identifier verification and improved session management to prevent such attacks.

An Analysis of Account Pre-Hijacking Attacks in Online Services

This paper presents a novel class of security threats termed "account pre-hijacking attacks," which target the process of account creation on online services to eventually compromise user accounts. The research is centered on the premise that attackers can exploit vulnerabilities during the account registration phase, specifically leveraging federated authentication systems like Single Sign-On (SSO). The paper examines various attack vectors within this scope, evaluates the prevalence of these vulnerabilities in widely used online services, and proposes mitigation strategies to fortify systems against such attacks.

The researchers identify several attack vectors wherein the attacker initiates some form of interaction with the target service before the legitimate user creates an account. For instance, an attacker may preemptively create an account using the victim's email, which becomes problematic when the service subsequently allows for account merging—often without adequate identifier verification—when the victim attempts to create an account. This type of vulnerability is particularly exacerbated when user identifiers, like email addresses, are used as unique keys across federated and non-federated identity systems.

The authors expand on these concepts by detailing \nNovelAtkTypes{} specific attack methodologies, such as the \classFedMerge, \unexpSess, \trojId, \unexpEmail, and \nonverifIdp attacks. Each attack exploits different aspects of how online services handle account creation, identifier verification, and session management. Notably, the research highlights services' failure to verify the ownership of identifiers before account activation as a critical vulnerability leading to account pre-hijacking scenarios.

Empirically, the researchers examined a subset of Alexa's top-ranked websites to assess the real-world prevalence of these vulnerabilities. Their findings are stark, revealing that a significant number of services are susceptible to one or more forms of pre-hijacking attacks. This vulnerability spans a diverse array of services, including cloud storage, social networking, video conferencing, and blogging platforms. Such findings underscore the importance of robust security measures during the account creation phase, especially given these services’ widespread adoption and the sensitive nature of their data.

In response, the paper proposes a set of best practices to mitigate these risks. The foremost recommendation is to enforce strict identifier verification, ensuring that the claimed ownership of identifiers is confirmed before any account-related actions are permitted. Additionally, implementing comprehensive session management policies that invalidate all sessions upon critical account changes, such as password resets or email changes, would significantly curtail the potential for such attacks. Furthermore, the researchers advocate for increased adoption of Multi-Factor Authentication (MFA), which could act as an additional layer of security during account recovery or usage phases.

The theoretical implications of the research illuminate a relatively underexplored attack surface in the security of online accounts. The findings suggest that the conventional focus on post-creation account security needs to be complemented by robust preemptive defenses during the account creation phase. Practically, the insights call for service providers to critically evaluate their current protocols in account management, emphasizing the need for conventions that balance both usability and security.

Looking forward, the evolution of federated identity systems and their security assurances will likely dictate the future landscape of account pre-hijacking risks. As such systems become more complex and integral to user experience, the emphasis on ensuring their robust security must parallel their adoption and innovation. Effective automation tools could also facilitate the scalable detection of such vulnerabilities, extending beyond the manual methodology currently employed.

Overall, the paper effectively raises awareness of a potentially exploitable vulnerability within modern web authentication systems, shedding light on the need for improved preventative security measures within the burgeoning field of federated identity management.