Account Pre-Hijacking: Two Variants the Industry Keeps Confusing
In 2022, Microsoft Research published “Pre-hijacking Attacks on Web User Accounts” at USENIX Security. It surveyed 75 popular services and found that roughly 47% were vulnerable to one or more variants of account pre-hijacking, a class of attack that lets an adversary gain persistent access to an account the victim hasn’t created yet. The paper is excellent. But the way the industry absorbed it has created a new problem: the two main variants get lumped together under the same label, triaged as if they’re the same threat, and dismissed or accepted for the wrong reasons. ...