Thirty-five or more of 75 widely-used online services including LinkedIn, WordPress, Zoom, Instagram, and Dropbox could be subjected to pre-hijacking attacks involving threat actors exploiting already addressed vulnerabilities to takeover online accounts prior to their creation, according to BleepingComputer.
Account pre-hijacking attacks have an impact similar to account takeovers, a study from Microsoft Security Response Center researcher Andrew Paverd and independent security researcher Avinash Sudhodanan revealed.
"Depending on the nature of the target service, a successful attack could allow the attacker to read/modify sensitive information associated with the account (e.g., messages, billing statements, usage history, etc.) or perform actions using the victim's identity (e.g., send spoofed messages, make purchases using saved payment methods, etc.)," wrote researchers.
With the knowledge of targets' email addresses, malicious actors would establish an account on a particular website and wait until their targets create an account themselves. Such stage could entail classic-federated merge, unexpired session ID, unexpired email change, non-verifying Identity provider, and trojan identifier attacks, the report showed.