"Hackers Can Hack Your Online Accounts Before You Even Register Them"

According to security researchers, hackers can hijack online accounts before users even register them. This is possible through the exploitation of vulnerabilities that have already been resolved on popular websites, including Instagram, LinkedIn, Zoom, WordPress, and Dropbox. Of the 75 analyzed popular online services, at least 35 were found to be vulnerable to account pre-hijacking attacks, according to Andrew Paverd, a researcher at the Microsoft Security Response Center (MSRC), and Avinash Sudhodanan, an independent security researcher. The type and severity of these attacks vary, but they all arise from poor security policies followed by the websites. First, a hacker must know a target's email address for a pre-hijacking attack to work, which is easy to obtain through email correspondence or data breaches faced by companies. Next, the attacker uses the target's email address to create an account on a vulnerable website, hoping that the victim will ignore the notification sent to their inbox as spam. Finally, the attacker either waits for the victim to sign up for the site or tricks them into doing so. During this process, there are five different attacks that threat actors can perform, including the classic-federated merge (CFM), the unexpired session (US) ID, the trojan identifier (TID), the unexpired email change (UEC), and the non-verifying (NV) identity provider (IDP) attack. This article continues to discuss the researchers' findings surrounding the performance and potential impact of the pre-hijacking attacks.  

BC reports "Hackers Can Hack Your Online Accounts Before You Even Register Them"