Thanks to a few features that weren’t well thought-through, cybercriminals can break into online accounts (opens in new tab) on some of the internet’s biggest platforms, without ever knowing the passwords. All they need to know, according to researchers investigating the matter, is the victim’s email address, and that is hardly a problem these days.
Cybersecurity researchers from the Microsoft Security Response Center, together with independent researcher Avinash Sudhodanan, found a way to break into online accounts, basically by being the first there.
There are a couple of methods to successfully conduct the attack, but here’s the gist of it – in layman’s terms: If the attacker knows the victim’s email address, and knows they don’t have an account registered on a service, they can create the account for them – using their email address (and hoping the victim dismisses the email notification as spam).
For services that require user confirmation via email, there’s a catch – attackers can create an account with a different email address, and then switch to the victim’s address later on.
Here’s where the service’s features come in – some allow account merging. If the service sees that the victim is trying to register an account with an email that’s already registered, it may offer a single sign-on feature, without ever prompting the victim for the password (opens in new tab). The victim logs in, the attacker stays logged in. The passwords are never changed.
In some instances, the attacker can also create an automated script to keep the session active for as long as needed.
While the researchers already disclosed their findings with some of the biggest sites, most of which plugged the hole already, the researchers are warning that many more probably have this loophole, and whether or not they’ll fix it any time soon is a very big “maybe”.
More details on how the attacks work, and what users can do to spot, and mitigate the threat, can be found in the “Pre-hijacking Attacks on Web User Accounts (opens in new tab)” paper, published by Microsoft’s Security Response team, earlier this week.
As usual, users are advised to set up security keys (opens in new tab) and other forms of multi-factor authentication wherever possible.