| /2 /5 /6 /Ghasemisharif /SSO /hackernews /microsoft /theregister |
Contents
identity theftの手口のいくつか Microsoft Security Response Center /microsoft
/SSO Single Sign-On (SSO), federated identity management
/メイルアドレス をid として使うサービスで危ない場合がある。
Avinash Sudhodanan in collaboration with Andrew Paverd
New Research Paper: Pre-hijacking Attacks on Web User Accounts
https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/ /microsoft
if the attacker can create an account at a target service using the victim’s email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state.
Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web
https://arxiv.org/abs/2205.10174
https://arxiv.org/pdf/2205.10174.pdf 2205.10174.pdf
4 Account Pre-Hijacking Attacks
For all these attacks, the attacker needs to identify services at which the victim does not yet have an account but is likely to create one in future.
Root Cause and Mitigation Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account. Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.
1. 解説
/Zolz https://www.helpnetsecurity.com/2022/05/24/account-pre-hijacking/
https://www.theregister.com/2022/05/25/web_pre_hijacking/