What is pre-hijacking, and how can it compromise accounts?

Account pre-hijacking is a threat, showcasing that accounts that do not yet exist can end up compromised. Essentially, hackers create accounts in advance with victims’ email addresses. Thus, perpetrators must be aware of their targets’ email addresses to exploit them. 

However, previously breached accounts have built extensive databases of such information. So, pre-hijacking performs account takeovers in reverse, with hackers corrupting profiles before a victim creates an account. 

What is pre-hijacking? 

Account pre-hijacking attacks represent a new category of threats targeting accounts that users have not registered yet. In the past, most hijacking attempts focused on accounts that people already control. However, pre-hijacking takes a leap by compromising account creation. 

So, an attacker creates an account on behalf of the user without their consent. Then, the waiting period begins until the victim creates or tries to recover an account on the compromised service. 

Perpetrators rely on several techniques to retain access to accounts. For instance, they might hope users do not receive or ignore account security notifications. Depending on targeted services, pre-hijacking could grant hackers access to sensitive information like billing details. 

According to research by Andrew Paverd and Avinash Sudhodanan, many high-traffic services like Instagram, WordPress, or Dropbox were vulnerable to account pre-hijacking. The study focused on 75 service providers, and at least 35 were susceptible to this threat. Microsoft’s Security Response Center made the initial introduction to this security exploit. 

How does pre-hijacking work? 

The novel class of account pre-hijacking attacks follows a strict routine to compromise users before they even create accounts. Security researchers name three general stages of this attack: 

1. Pre-hijack stage. Perpetrators create accounts on selected services using victims’ identifiers (email addresses or phone numbers). It is crucial that targets have not created an account using the exploited identifier. During this stage, attackers also need to predict which service the victim will join in the future.
2. User action. During this stage, pre-hijacking attackers wait for victims to create or recover accounts using the same identifiers. Hackers could try to coerce targets into signing up by sending phishing emails with invitations to the service. Users could notice the pre-hijacking attack when trying to create or recover accounts. However, it depends on whether the service issues appropriate security notifications. If users disregard warnings or do not receive them, they could start operating the compromised account. 
3. Additional attack. Now, attackers can perform full account takeovers, making victims lose control of them. Nevertheless, some could perform more stealthy measures to retain concurrent access to accounts. Researchers discovered five attacks used in this stage. 

Types of account pre-hijacking attacks

Security research names five potential pre-hijacking attacks. Some exploit single sign-on (SSO) options, while others rely on classic account creation. 

Classic-federated merge attack

This threat represents the potential of hackers and victims having access to the same account. Initially, a pre-hijacking attack creates an account following the traditional sign-up (setting a unique password). 

However, victims use the SSO option to join a service. The website could merge these two accounts and fail to send a letter stating that an account already exists. If victims do not change the password for the classic account, attackers can retain access to the profile. 

Unexpired session attack

This pre-hijacking attack works if services do not invalidate all active sessions after password resets. In this case, the user tries to sign up for a service but notices that they already have an account. 

Then, they cannot log in as they do not know the password perpetrators have set. As a result, the victim changes the password. The problem is that a service might not invalidate active sessions after this. 

Thus, perpetrators can automate the task of keeping an active session. For instance, scripts could frequently perform an action to maintain it. In the end, the hackers can retain access to the account even if victims change passwords.

Trojan identifier attack

During this account pre-hijacking, attackers create an account using victims’ email addresses. However, they link this account to their own SSO. Thus, the perpetrators could retain access via Google or Facebook even if victims change passwords. 

Unexpired email change attack

This method exploits the possibility that email-change URLs do not expire. Thus, perpetrators create an account using victims’ email addresses. Then, they initiate an email change and receive an email-change letter in their inbox. 

However, they do not complete the process, leaving accounts linked to victims’ emails. Once victims reset passwords and have used the account for some time, hackers could finally finish the email change. As a result, they take over the account. 

Non-verifying IdP attack

In this pre-hijacking attack, perpetrators create an IdP account using the targets’ email addresses. It exploits the possibility that services trust IdP to conduct the necessary email verification. 

Thus, hackers can create another account using the fraudulent IdP. When victims try to sign up, services might combine the hacker-controlled account with the new one. 

What services are susceptible to pre-hijacking attacks? 

Researchers discovered that services like Zoom and LinkedIn were susceptible to one or more pre-hijacking attacks. The potential for exploitation depends on how companies deal with identifier verification. In many cases, services can dismiss certain security practices, like trusting IdP to run email verification. 

Such assumptions and possible mishaps can be the result of reducing UX friction. However, the pre-hijacking threat proves that strict identifier verification is necessary. 

For example, services should send all appropriate security notifications to the user. Additionally, companies should reconsider merging accounts created via SSO and classic password creation. Lastly, email-change URLs should have a relatively short expiration date to prevent abuse. 

How can users protect their future accounts from pre-hijacking? 

Service providers have the responsibility to combat the pre-hijacking security exploit. However, users can do their part by being attentive and taking advantage of the protection measures available.  

• Pay attention to security notifications. Check your inbox and take heed of warnings that you receive. For instance, some service providers send automatic alerts when accounts get logged in from new devices. 
• Look for red flags during account creation. You might discover accounts on services you had never encountered before. Take this as a warning that hackers have performed a pre-hijacking account on it. For instance, you can request the service to delete the account. Later, you can create a brand new account.
• Check devices that you have used to log in to your accounts. If possible, look through active sessions and end those you do not recognize. 
• Use two-factor authentication. 2FA can stop attackers from using an account after victims reset passwords. Furthermore, double-check whether a service invalidates sessions created before adding 2FA.  
• Keep track of accounts you have. Password managers help see all your account credentials in one place. Take the time to add all credentials, and you will always know if you have an account with a specific service. Thus, you will quickly recognize when a pre-hijacking might have occurred.