| /2 /5 /6 /Ghasemisharif /SSO /hackernews /microsoft /theregister |
Contents
Avinash Sudhodanan in collaboration with Andrew Paverd
New Research Paper: Pre-hijacking Attacks on Web User Accounts
https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/
if the attacker can create an account at a target service using the victim’s email address before the victim creates an account, the attacker could then use various techniques to put the account into a pre-hijacked state.
Pre-hijacked accounts: An Empirical Study of Security Failures in User Account Creation on the Web
https://arxiv.org/abs/2205.10174
https://arxiv.org/pdf/2205.10174.pdf 2205.10174.pdf