Differences between revisions 37 and 38

1. account_pre-hijacking

Contents

account_pre-hijacking
1. research
2. 紹介記事

アカウント登録に二つ以上の方法がある場合には危ないことがある。

/SSO Single Sign-On (SSO), federated identity management /Non-Verifying_IdP

メイルアドレスをidとして使うサービス(の危険性)

攻撃対象のメールアドレスを使って、権利者より先に目標のサービスにアカウントを作れるなら、
攻撃者は｢なりすまし罠｣にさまざまな手法を使える。 (意訳 -- ToshinoriMaeno 2022-06-01 02:12:09)

｢到達性のないメールアドレス｣をIDとして登録できるサービスがあるらしい。

-- ToshinoriMaeno 2022-06-10 00:09:26

Gigazine 記事 (日本語版が先に出たとのこと) 2022年06月01日

https://twitter.com/gigazine/status/1531742372258025472?s=20&t=vzRhda-VE-N3SZmn84myCA

https://gigazine.net/gsc_news/en/20220601-account-pre-hijacking/

1.1. research

Avinash Sudhodanan in collaboration with Andrew Paverd

New Research Paper: Pre-hijacking Attacks on Web User Accounts

https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/

identity theftの手口のいくつか Microsoft Security Response Center /microsoft

if the attacker can create an account at a target service using the victim’s email address before the victim creates an account, 
the attacker could then use various techniques to put the account into a pre-hijacked state.

Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web

https://arxiv.org/abs/2205.10174

https://arxiv.org/pdf/2205.10174.pdf 2205.10174.pdf

4 Account Pre-Hijacking Attacks /4

For all these attacks, the attacker needs to identify services at which 
the victim does not yet have an account but is likely to create one in future.

Root Cause and Mitigation

Fundamentally, the root cause of account pre-hijacking vulnerabilities is that 
the service fails to verify that the user actually owns the supplied identifier 
(e.g. email address or phone number) before allowing use of the account. 

Although many services require identifier verification, 
they often do so asynchronously, 
allowing the user (or attacker) to use certain features of the account
before the identifier has been verified. 
Whilst this might improve usability, 
it creates a window of vulnerability for pre-hijacking attacks.

1.2. 紹介記事

https://www.helpnetsecurity.com/2022/05/24/account-pre-hijacking/

https://www.theregister.com/2022/05/25/web_pre_hijacking/

Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds Ben Dickson 30 May 2022 at 15:30 UTC

https://portswigger.net/daily-swig/dozens-of-high-traffic-websites-vulnerable-to-account-pre-hijacking-study-finds

CategoryDns CategoryWatch CategoryTemplate

MoinQ: なりすまし/account_pre-hijacking (last edited 2022-08-26 07:47:28 by ToshinoriMaeno)

-  ⇤ ← Revision 37 as of 2022-06-10 00:16:08 → 
  Size: 3099
  Editor: ToshinoriMaeno
  Comment:
+   ← Revision 38 as of 2022-06-10 00:16:36 → ⇥
  Size: 3109
  Editor: ToshinoriMaeno
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 16:
-｢到達性のないメールアドレス｣をIDとして登録できるサービスがあるらしい。-- ToshinoriMaeno <<DateTime(2022-06-10T09:09:26+0900)>>
+{{{
｢到達性のないメールアドレス｣をIDとして登録できるサービスがあるらしい。
}}}
-- ToshinoriMaeno <<DateTime(2022-06-10T09:09:26+0900)>>

MoinQ: Diff for "なりすまし/account_pre-hijacking"

1. account_pre-hijacking

1.1. research

1.2. 紹介記事