Online accounts that are not even registered can also be taken over by hackers

According to a new study, it has been discovered that cyber attackers can even take over those accounts that have not yet been registered. The study highlighted the weak spots that were later resolved by famous platforms, including social media giant Instagram, as well as Zoom, LinkedIn, and Dropbox.

The research was based on the data collected by Andrew Paver, security analyst at Microsoft Security Response Center, and Avinash Sudhodanan, a self-reliant researcher. These two went through over seventy-five different applications and revealed that up to thirty-five of them were exposed to such misconduct.

Even though most of these sites are open for anyone to highlight bug issues, the fact that they are still getting exposed to such attacks is shocking.

The cyber hackers initiate their activities by getting their hands on the victim's email address. Later, the email is used to create a user profile on such threatened sites. The victims usually neglect such notifications, and the attackers can take advantage of this action. The third and final step is where the victim is lured into creating an account on one of these sites.

During this procedure, five different actions can hit the victim. The first kind of attack has been named Classic Federated Merge. In this scenario, an already existing email is used to create a profile, and the real email address owner is not aware of this. The victim is offered a single sign-in option and, once available, the user won’t have to change the pass code and the hacker can stay logged in.

The second type is an unexpired login, in which the login session remains live with the help of a self-operating script. Later, if the real user goes on to change the login credentials, the already logged-in session of the hacker is not affected.

The third type is one in which both the first and second types are used simultaneously and has been named the Trojan identifier. This is done by linking the IdP address with the profile for verification, and later, if the credentials are changed, they will be accessible to the hijackers through the federated verification route.

The fourth one is where a request for updating an email address is displayed after creating a profile. This request is not processed. Later, when the login information is updated, the attackers are free to use it to take over.

The last type is where the victim is threatened with the holding of an IdP at the time of account creation, which gives an opportunity to misuse login services such as Okta.

Since most of the sites don’t ask for a two-step verification upon updating email, the verification can be ditched, whereas in some situations, an account is created with another email but is later replaced with the victim’s email.

Most of them repaired it. A number of the sites and applications want to make the signup process user-friendly. They don’t pay much attention to the security threats. However, setting up two-step verification can help users prevent themselves from such attacks.


Read next: 60 Percent of Extortion Attacks Now Use Phishing to Initiate Attacks
Previous Post Next Post