1. account_pre-hijacking
Contents
/SSO Single Sign-On (SSO), federated identity management /Non-Verifying_IdP
https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/
Pre-hijacking Attacksのメモ書き https://gist.github.com/azu/faa7909d32c0ed1ab4fced3ad4ab74d8
https://arxiv.org/abs/2205.10174?context=cs
メイルアドレスをidとして使うサービス(の危険性)
- 攻撃対象のメールアドレスを使って、権利者より先に目標のサービスにアカウントを作れるなら、
攻撃者は「なりすまし罠」にさまざまな手法を使える。 (意訳 -- ToshinoriMaeno 2022-06-01 02:12:09)
「到達性のないメールアドレス」をIDとして登録できるサービスがあるらしい。
-- ToshinoriMaeno 2022-06-10 00:09:26
- Spotifyが該当することは分かったが、すでに存在しているアカウントの乗取が問題になっているので、 現状はpre-hijackingではなさそうだ。
フィッシング/Spotify不正ログイン通知が話題に上がっている。-- ToshinoriMaeno 2022-06-26 14:32:13
Gigazine 記事 (日本語版が先に出たとのこと) 2022年06月01日
https://gigazine.net/gsc_news/en/20220601-account-pre-hijacking/
1.1. research
Avinash Sudhodanan in collaboration with Andrew Paverd
New Research Paper: Pre-hijacking Attacks on Web User Accounts
https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/
identity theftの手口のいくつか Microsoft Security Response Center /microsoft
if the attacker can create an account at a target service using the victim’s email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state.
Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web
https://arxiv.org/abs/2205.10174
https://arxiv.org/pdf/2205.10174.pdf 2205.10174.pdf
4 Account Pre-Hijacking Attacks /4
For all these attacks, the attacker needs to identify services at which the victim does not yet have an account but is likely to create one in future.
Root Cause and Mitigation Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account. Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.
1.2. 紹介記事
https://www.helpnetsecurity.com/2022/05/24/account-pre-hijacking/
https://www.theregister.com/2022/05/25/web_pre_hijacking/
Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds Ben Dickson 30 May 2022 at 15:30 UTC