How pre-hijacking works
For a pre-hijacking attack to work, the hacker needs to know a target's email address, which is relatively easy through email correspondence or via the numerous data breaches that plague companies daily.
Next, an attacker creates an account on a vulnerable site using the target's email address and hopes that the victim dismisses the notification that arrives in their inbox, deeming it spam. Finally, the attacker waits for the victim to create an account on the site or indirectly tricks them into doing it.
During this process, there are five different attacks that threat actors can conduct, namely the classic-federated merge (CFM), the unexpired session (US) ID, the trojan identifier (TID), the unexpired email change (UEC), and the non-verifying Identity provider (IdP) attack (NV).
In the first case, CFM, the vulnerable platform uses account merging when the target creates an account with an existing email address and, in some cases, doesn't even inform them of the fact. This attack relies on giving the victim a single-sign-on (SSO) option, so they never change the password set by the attacker.
In the unexpired session attack, the hacker keeps the session active after creating the account using an automated script. When the victim creates an account and resets the password, the active session might not be invalidated, so the attacker can continue accessing the account.
The trojan identifier method combines the Classic-Federated Merge and Unexpired Session attacks.
"The attacker creates a pre-hijacked account using the victim’s email address, but then associates the account with the attacker’s IdP account for federated authentication. When the victim resets the password (as in the Unexpired Session Attack), the attacker can still access the account via the federated authentication route," explains the paper.
In the UEC attack, the attacker creates an account using the victim's email address and then submits a change request for that email but doesn't confirm it. Then, after the victim performs the password reset, the attacker validates the change and assumes control of the account.
Finally, in the NV attack, the threat actor exploits the lack of verifying ownership of an IdP when creating the account, opening up the way to abuse cloud-based login services like Okta and Onelogin.