Cybercriminals don’t need initials, bank accounts or passwords to steal accounts. An email address is often enough. New research from Microsoft raises concerns.

We often think that cybercriminals require varies data to steal user accounts. For example, a date or place of birth, which can be used to answer security questions when recovering passwords. Although personal data makes things easier, it’s everything but necessary. New research shows that an email address is sufficient to steal accounts on the world’s most popular websites.

The research was conducted by Andrew Paverd and Avinash Sudhodanan. Paverd works for Microsoft, Sudhodanan is independent. In 2020, the duo received a grant to research the security of popular authentication systems. The researchers came across ‘pre-hijacking’, a creative method for stealing accounts. Approximately half of the world’s most popular websites turned out to be vulnerable to the method. An alarming fact, because pre-hijacking is surprisingly easy to carry out.

How does pre-hijacking work?

A cybercriminal has several options for stealing accounts. Phishing and social engineering are regularly successful, but far from efficient. A cybercriminal requires lots of data to bypass two-factor authentication. When it comes to pre-hijacking, a single email address is typically enough. The attacker uses a victim’s email address to create accounts for websites on which the victim is not yet registered. If the victim tries to create an account at a later point in time, the e-mail address appears to already be in use. The system may request the victim to reset his or her password. The victim receives a reset link, changes the password and is unaware of any danger.

A website or web app is supposed to remove the attacker from the account after a password is reset, but that regularly goes wrong. The researchers found five common vulnerabilities that allow an attacker to retain access. For example, an attacker can remain logged on while the victim recovers the password. The attacker waits while the victim configures the account, refreshes the page and steals all the data that has been provided thus far.

Another example revolves around the merger of Identity Providers (IdP) and Single Sign-On (SSO) systems, two different authentication solutions. Both options have advantages and disadvantages, which is why some websites choose both systems. In this case, an attacker can create an account with SSO. If the victim registers with IdP at a later point in time, the accounts are merged and the attacker retains access.

Half are vulnerable

The researchers analyzed 75 of the 150 most popular Internet services for similar vulnerabilities. About half were found to be vulnerable, including Dropbox, Instagram and LinkedIn. The researchers contacted every organization affected. The vulnerabilities have since been resolved.

“It is highly likely that other websites and online services, beyond the 75 we analyzed, will also be vulnerable to these attacks”, the researchers said. “That is why we are publishing the report. It is important to bring the vulnerabilities to light so that every organisation with a website or web app can take action to protect their user accounts.”