Hackers Can Now Hijack Your Accounts Even Before You Create Them: Here's How
Security researchers have found hackers can hijack your accounts even before you create them by exploiting vulnerabilities that have already been fixed on social media platforms like Instagram, LinkedIn, in addition to Zoom, WordPress, and Dropbox
Hackers can take control of your online accounts even before you register. You read that right! Security researchers have found hackers can hijack your accounts even before you create them by exploiting vulnerabilities that have already been fixed on social media platforms like Instagram, LinkedIn, in addition to Zoom, WordPress, and Dropbox.
The assessment was done by Andrew Paverd, a researcher at Microsoft Security Response Center, and Avinash Sudhodanan, an independent security researcher. They analysed 75 popular digital services and found that at least 35 remain vulnerable to pre-hijacking attacks.
The researchers explained on arxiv, writing - "The impact of account pre-hijacking attacks is the same as that of account hijacking. Depending on the nature of the target service, a successful attack could allow the attacker to read/modify sensitive information associated with the account (e.g., messages, billing statements, usage history, etc.) or perform actions using the victim's identity (e.g., send spoofed messages, make purchases using saved payment methods, etc.)."
How is "pre-hijacking" performed by hackers?
To facilitate successful pre-hijacking, hackers need to know a target's email address, which is not that difficult to find now. Then, the attacker creates an account on a vulnerable platform using the target's email address. If the victim ignores the notification for the same as spam, the attacker wins. The last step is to wait for the victim to actually create an account on the website or to trick them into doing so.
How does the hacker bypass email verification, you wonder? By capitalising on a simple functionality available on all online services. The attacker can create the account with their own email address and later change it to the victim's email address.
Also read: Hackers Stole ?7.38 Crore From Payment Gateway Firm Razorpay: Here's What Happened
The researchers claim to have informed mega companies like Instagram, Dropbox, Wordpress, LinkedIn, and Zoom of such vulnerabilities, and claimed that some of them have already fixed the issue.
Even then, how was this allowed to happen? Quite simply, it is a result of the lack of strict verification. During sign-up, most online services want a simple, single-page process to onboard users. This, in turn, affects the account security. Of course, we advise you to set up MFA (multi-factor authentication) on all your accounts across various services. This way, all old sessions will be invalidated.
Also read: Pegasus 2.0? Governments Using Private Firms To Install 'Predator' Spyware On Android
Do you exercise safety on the internet while browsing? Let us know in the comments below. For more in the world of technology and science, keep reading Indiatimes.com.
References
Paverd, A. (2022, May 23). New Research Paper: Pre-hijacking Attacks on Web User Accounts. Microsoft Security Response Center.
Toulas, B. (2022, May 24). Hackers can hack your online accounts before you even register them. BleepingComputer.