New 'Pre-Hijacking' a Threat to User Accounts

John Lister's picture

Nearly half of all leading websites are vulnerable to an audacious hacking method according to a new report. The attacks involve hijacking an account before it has even been created.

The scam uses various methods, but usually involves creating an account using an email address, then waiting for the actual owner of that email address to attempt to create an account on a specific website.

Microsoft's Andrew Paverd and independent researcher Avinash Sudhodanan detailed the problems in a research paper and blog post. (Source:

They say the "root cause" of the problem is that many websites let users who create an account access some features before they prove they own the email address they used to sign up. That's usually done by sending an email with a link or confirmation code.

Password Resets Vulnerable

The researchers detailed five ways attackers could take advantage of this flaw depending on the design of the site in question. While some where highly technical, others were more basic.

For example, one approach is to create an account using the email address then wait for the real person to sign up using a third-party login such as their Facebook or Google details. In some cases this will leave both the scammer and real person able to access the account. (Source:

Another tactic involves taking advantage of sites that don't close all active sessions when the real user resets their password.

35 Leading Sites At Risk

The researcher say they tested the techniques on 75 of the 150 most popular websites. They found 35 were vulnerable to at least one of the methods. They say they've passed on full details to the affected sites and then waited at least seven months before going public, but fear other sites remain vulnerable.

According to the researchers, the simplest solution is that sites should stop users doing anything with an account until they have confirmed their email address or other form of identity is correct. They also say sites should consider locking users out completely during a password reset and regularly deleting any accounts that have been created but not yet verified.

What's Your Opinion?

Are you surprised by this report? Last time you created an account, were you able to do anything before confirming your email address? Are the researcher's suggested fixes realistic?

Rate this article: 
Average: 5 (9 votes)


Focused100's picture

There are too many techies out there who have control of sites big and small.
They're just not paying attention to how easy it is for someone with a bit of knowledge to hack a site.

Chief's picture

Remember Willie Sutton? "I rob banks because that's where the money is."
About time someone thought of crashing websites - it's a lot faster than cracking users one at a time.

That said, how do we protect ourselves?
Dennis Faas, care to comment? I've been following you for decades now and highly respect your advice.

So far, with 2-factor turned on, I know I've been attempted on more than one site. Of course, they can't get in without knowing or accessing the 2nd factor, so I get notified, and that's it.

Beyond that, I don't know. Yet.