Introduction:-
The possibility of account takeover looms large in today’s interconnected society, as digital platforms serve as conduits to our personal and financial information. Account takeover refers to hostile actors gaining unauthorised access to a user’s account, which frequently results in data breaches and financial loss. To tackle this threat, organisations must address pre-account takeover vulnerabilities, which are exploitable flaws in the account setup and administration processes, proactively. In this blog, we will cover real-world examples of pre-account takeover vulnerabilities and their potential implications.
Understanding Pre-Account Takeover Vulnerabilities:
Pre-account takeover vulnerabilities encompass a range of weaknesses that can be exploited by attackers to gain unauthorized access to user accounts. These vulnerabilities typically exist during the account creation, login, and account recovery stages. They can be a result of poor password policies, weak authentication mechanisms, insufficient security questions, or flawed email verification processes. Additionally, social engineering techniques such as phishing attacks and SIM swapping can also exploit pre-account takeover vulnerabilities
Attack Requirement:
Attack is not possible everywhere. These are the requirement for this type of attack
Lack of Email Verification: Either the target application does not have an email verification feature or it is easily circumvented. It is frequently noted that when a new user opens an account on an application, the email must first be verified before access is provided. In a nutshell, this is a necessary component for carrying out this attack. Because of this misconfiguration, an attacker might exploit the victim user’s account to register an account in the application, i.e. Pre-Authentication.
Social Logins: The target app should also support at least one social login, such as Google, Facebook, Twitter, and other services. Furthermore, the victim’s email address should be the same as the one used in the attacker’s social media account.
Victim User’s Email: The final component necessary is the victim user’s email; nevertheless, this is not a difficult operation, and emails may be quickly enumerated.
How to perform this attack :
Steps To Reproduce:
[Attackers Action] Using the victim’s email address, navigate to the target application and create a new account. I used a Gmail account to sign up for an account as a victim because the application also offers a Google Authentication option.
Once the registration procedure is complete, verify that the application properly logs in the user and that all of the application’s capabilities are usable.
To return to the target application’s login screen after logging out.
[Victims Step] Use Google Authentication this time, and enter the same email address from Step 1 to log into the application.
Observe that the victim user can access the programme after a successful login. After that, make any modifications to the application, such updating your profile.
[Attacker Action] Now, in a separate browser window, try logging in with the Email:Step 1’s password was used for registration.
Observe that the attacker has successfully logged into the victim’s account and can view all of the changes made by the victim.
Impact:
I was able to utilise the application without being connected to an actual email address by getting around the account verification requirement. Additionally, I was able to set up pre-account takeovers on any email address that wasn’t already registered, ready for when an unwitting victim checked in for the first time with Facebook, Twitter, or another service.
Remediation:
Making ensuring that the email verification is correctly implemented and cannot be abused is the simplest way to fix this problem.
Additionally, by making sure that social logins are properly implemented, the email extracted from the social login is checked against the database of current users to make sure the victim requested a password reset. By doing this, the attacker’s persistence can be eliminated.
Conclusion:
Pre-account takeover vulnerabilities pose a significant risk to user accounts and organizations’ security. By prioritizing password policies, implementing multi-factor authentication, and fortifying account recovery processes, individuals and businesses can enhance their defenses and protect themselves from unauthorized access and potential data breaches.
Abdul Mannan
(Cyber Security Intern)