## page was copied from DnsTemplate ##master-page:HelpTemplate = account_pre-hijacking = <> <> アカウント登録・ログインに(二つ以上の方法が使える場合に)は危ないことがある。 [[/SSO]] Single Sign-On (SSO), federated identity management [[/Non-Verifying_IdP]] https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/ Pre-hijacking Attacksのメモ書き https://gist.github.com/azu/faa7909d32c0ed1ab4fced3ad4ab74d8 https://arxiv.org/abs/2205.10174?context=cs メイルアドレスをidとして使うサービス(の危険性) 攻撃対象のメールアドレスを使って、権利者より先に目標のサービスにアカウントを作れるなら、 攻撃者は「なりすまし罠」にさまざまな手法を使える。 (意訳 -- ToshinoriMaeno <>) {{{ 「到達性のないメールアドレス」をIDとして登録できるサービスがあるらしい。 }}} -- ToshinoriMaeno <> Spotifyが該当することは分かったが、すでに存在しているアカウントの乗取が問題になっているので、 現状はpre-hijackingではなさそうだ。 [[フィッシング/Spotify]]不正ログイン通知が話題に上がっている。-- ToshinoriMaeno <> ---- Gigazine 記事 (日本語版が先に出たとのこと) 2022年06月01日 https://twitter.com/gigazine/status/1531742372258025472?s=20&t=vzRhda-VE-N3SZmn84myCA https://gigazine.net/gsc_news/en/20220601-account-pre-hijacking/ == research == Avinash Sudhodanan in collaboration with Andrew Paverd New Research Paper: Pre-hijacking Attacks on Web User Accounts https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/ identity theftの手口のいくつか Microsoft Security Response Center [[/microsoft]] {{{ if the attacker can create an account at a target service using the victim’s email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state. }}} Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web https://arxiv.org/abs/2205.10174 https://arxiv.org/pdf/2205.10174.pdf [[attachment:2205.10174.pdf]] 4 Account Pre-Hijacking Attacks [[/4]] {{{ For all these attacks, the attacker needs to identify services at which the victim does not yet have an account but is likely to create one in future. }}} {{{ Root Cause and Mitigation Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account. Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks. }}} == 紹介記事 == https://www.helpnetsecurity.com/2022/05/24/account-pre-hijacking/ https://www.theregister.com/2022/05/25/web_pre_hijacking/ Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds Ben Dickson 30 May 2022 at 15:30 UTC https://portswigger.net/daily-swig/dozens-of-high-traffic-websites-vulnerable-to-account-pre-hijacking-study-finds ---- CategoryDns CategoryWatch CategoryTemplate