Movatterモバイル変換

Account pre-hijacking

From Wikipedia, the free encyclopedia

Class of security exploit

Account pre-hijacking attacks are a class ofsecurity exploit related toonline services. They involve anticipating a user signing up for an online service and signing up to the service in their name, and then taking over their account when they attempt to register it themselves.^[1]^[2]^[3] The attack relies on confusion between accounts created byfederated identity services and accounts created using e-mail addresses and passwords, and the failure of services to resolve this confusion correctly.^[1]

Pre-hijacking was first identified as a class of vulnerabilities in 2022, based on research funded byMicrosoft's Security Response Center.^[4]^[5]

Out of 75 online services surveyed, 35 were found to be vulnerable to various forms of the exploit. Vulnerable services includedDropbox,Instagram,LinkedIn,WordPress andZoom. The existence of the vulnerability was reported to all the service providers before publication of the paper.^[5]

References

[edit]

^^a ^bKovacs, Eduard (May 24, 2022)."Hackers Can 'Pre-Hijack' Online Accounts Before They Are Created by Users".Security Week. Retrieved2022-05-31.
^Brinkmann, Martin (2022-05-24)."Pre-hijacking Attacks of user accounts are on the rise".gHacks Technology News. Retrieved2022-05-31.
^Andrew Paverd (May 23, 2022)."New Research Paper: Pre-hijacking Attacks on Web User Accounts".Microsoft Security Response Center. Retrieved2022-05-31.
^Dickson, Ben (2022-05-30)."Dozens of high-traffic websites vulnerable to 'account pre-hijacking', study finds".The Daily Swig. Retrieved2022-05-31.
^^a ^bSudhodanan, Avinash; Paverd, Andrew (2022-05-20). "Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web".arXiv:2205.10174 [cs.CR].

Hacking in the 2020s

← 2010s

Timeline

2030s →

Major incidents

2020	BlueLeaks Twitter account hijacking European Medicines Agency data breach Nintendo data leak United States federal government data breach EasyJet data breach Vastaamo data breach
2021	Microsoft Exchange Server breach Ivanti Pulse Connect Secure data breach Colonial Pipeline ransomware attack Health Service Executive ransomware attack Waikato District Health Board ransomware attack JBS S.A. ransomware attack Kaseya VSA ransomware attack Transnet ransomware attack Epik data breach FBI email hack National Rifle Association ransomware attack Banco de Oro hack Iranian fuel cyberattack
2022	Ukraine cyberattacks Red Cross data breach Anonymous and the Russian invasion of Ukraine Viasat hack DDoS attacks on Romania Costa Rican ransomware attack LastPass vault theft Shanghai police database leak Grand Theft Auto VI content leak
2023	Munster Technological University ransomware attack Capita data breach Evide data breach MOVEit data breach Insomniac Games data breach Polish railway cyberattack British Library cyberattack
2024	XZ Utils backdoor Kadokawa and Niconico Change Healthcare ransomware attack Ukrainian cyberattacks against Russia 2024 WazirX hack Trump campaign hack Fur Affinity domain hijacking IRLeaks attack on Iranian banks Internet Archive data breach i-Soon leak 2024 global telecommunications hack 2024 National Public Data breach
2025	Cyberattacks on Bank Sepah 2025 Paraguay ransomware attack 4chan hacking and data breach 2025 St. Paul cyberattack Jaguar Land Rover cyberattack Collins Aerospace cyberattack 2025 cyberattack on Polish power grid
2026	ManageMyHealth data breach Neighbourly data breach