Here is something new – pre-hijacking!

Hijacking of online accounts is a serious cyber security concern. The unauthorised access by threat actors to everything from Amazon accounts to Zoho accounts all have data breach consequences either for the individual or organisation. (That is why we tell all our clients to make multi-factor authentication (MFA) compulsory for everything. I know MFA can be beaten but not having it there is worse.)

This academic paper examines a range of possible attacks that are carried out before the online account is created, making it easy for a bad actor to gain access to the newly created or recovered account. To test the propositions 75 of the most common online services were examined and 35 were shown to be vulnerable to at least one of the proposed attacks.

Some of the attacks could be spotted by sharp eyed user, others could not!

The paper goes on to suggest mitigations for the attacks examined.

[2205.10174] Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web (arxiv.org)

References

Sudhodanan, A., & Paverd, A. (2022). Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web. doi:10.48550/ARXIV.2205.10174

Further Reading

About half of popular websites vulnerable to pre-hijacking • The Register