Some features on well-known online platforms have loopholes that allow cybercriminals to pre-hack accounts on them without knowing passwords. Consequently, researchers believe that these hackers only require the victim’s email address which is easy to obtain.
The Microsoft Security Response Center’s cybersecurity researchers and independent researcher Avinash Sudhodanan conducted this research. They were able to find a way to hack online accounts just by being the first to be there. Unfortunately, cyber criminals create an account for victims if they find a particular service where they have not registered their email addresses.
Furthermore, some services allow the merging of different accounts. Thus, for such services, if a user confirmation via email is necessary, cybercriminals create an account with a different email address and then switch to the victim’s address. Additionally, when the victim tries to register an account with an already registered email, it offers a single sign-on feature. In addition to that, the service doesn’t even ask for a password for the login. Thus, both the victim and the hacker stay logged into the account on that service without a change to the password. Also, sometimes, cybercriminals create an automated script to keep the session active for long.
Moreover, the researchers revealed their results with some of the biggest sites. Fortunately, most of these sites have overcome the loophole so far. However, some sites still have this loophole, with no clarity of when or whether they will fix it. Hence, unsuspecting victims are still at the mercy of cybercriminals and in danger of getting hacked.
Lastly, the “Pre-hijacking Attacks on Web User Accounts” paper, published by Microsoft’s Security Response team, offers further details on the issue. It provides more information regarding how these attacks work and highlights ways users can spot and mitigate the threat. Additionally, setting up security keys and other forms of multi-factor authentication are some of the best ways to escape cybercriminals.