Aug 28, 2024

How to Prevent Account Takeover: Real-life Scenarios and Mitigation Steps

Ignoring security in the name of progress is a risky gamble. Even tiny oversight, like failing to verify passwords during email changes can result in an account takeover. You read that right: this seemingly minor issue can be a major troublemaker.

In this article, our expert security team will discuss simple yet effective steps to prevent account takeover caused by email change misconfiguration and educate your teams on recognizing and reacting to potential dangers. By learning from real-world examples, developers and security professionals can easily implement robust security measures to safeguard apps and user data from malicious actors and fraud.

Discover how our 24/7 monitoring can secure your emails.
Don’t wait for a breach to happen

Email Change Misconfiguration: A Pathway to Account Takeover

One of the most overlooked vulnerabilities in application security is changing a user’s registered email address without password verification. Users changing their email addresses without verifying their current password opens a significant security gap. 

Attackers can exploit this weakness to gain control of accounts by changing the registered email address to one they control. Once they have done this, they can reset passwords, access sensitive information, and potentially use the account for fraudulent activities.

It’s not just a scary story. In real-life scenarios, several high-profile breaches have occurred due to inadequate verification during the email change process. For instance, a major e-commerce platform experienced a massive data breach when attackers exploited this flaw, resulting in significant financial losses and a damaged reputation.

What is the least impactful scenario?

Even if we consider the least impactful scenario, the consequences are still problematic:

  1. User mistake: A legitimate user accidentally changes their email address to one they don’t control.
  2. Loss of access:  The user cannot recover access to their account due to redirected communication channels.
  3. Security risk and user experience: This scenario highlights a significant security risk and creates a poor user experience.

Even with this minimal-impact scenario, the implications are severe. Attackers can exploit the mistake to intercept sensitive communications, further escalating the risk.

How do such issues occur in Applications?

  1. Underestimation of risk: Developers may need to pay more attention to this vulnerability because they often prioritize ease of use over stringent security measures.
  2. Password verification oversight: Many people believe that requiring password verification for email changes is an unnecessary inconvenience.
  3. Assumptions about access: Developers may assume that temporary access to an account is rare or that existing security measures are adequate.

Prioritizing user experience shouldn’t mean sacrificing security. Requiring password verification for email changes might seem like a hassle, but it’s a crucial safeguard.

Real-world scenarios of Account Takeover and Privilege Escalation from the Purple Team

When we exploit the account takeover combined with other security flaws, we deal with the multifaceted consequences. You can find some detailed scenarios collected by our Purple team below. These scenarios showcase how attackers can escalate the email change misconfiguration to full account takeovers and privilege escalations.

Scenario 1: Combining with Cross-Site Scripting (XSS)

At WebCo, attackers discovered an XSS vulnerability. Although the website’s cookies were marked httpOnly, preventing direct theft, the attackers crafted a malicious script. When executed in the victim’s browser, the script used the victim’s cookies to request an email change. Once the administrator’s email was altered, attackers used the “Forgot password” functionality to reset the password to the new email address, taking over the account and escalating their privileges.

Scenario 2: Exploiting Broken Access Control (BAC)

In another instance at DataCorp, a BAC vulnerability allowed users to change email addresses using a unique user ID without proper authorization checks. Exploiting this flaw, attackers altered the victim’s email to one they controlled. They then used the “Forgot password” function to reset the password, gaining complete access to the account with higher privileges. This scenario underscores the critical need for stringent access controls, but proper password verification before email changes would significantly reduce the impact.

Scenario 3: Utilizing Cross-Site Request Forgery (CSRF)

At SecureTech, an attacker created a harmful website that tricked users into sending requests to the target application. When the victim, who was already logged into their account, visited this site, it requested to change the victim’s email address to one controlled by the attacker. The attacker then used the “Forgot password” feature to gain control of the account.

Other Exploitation Methods

In numerous cases, attackers already possess temporary access to user accounts—whether through phishing or other means—and found the absence of password verification for email change to make account takeovers trivially easy. It highlights the pervasive nature of the risk.

Now that you know the origin of the vulnerability and its scenarios, let’s move on to something practical: security strategies for preventing account takeover fraud.

How to Prevent Account Takeover (Worst Scenario of Email Change Errors)

In all cases where we have found such a chain of vulnerabilities and exploitation scenarios, we applied the specific mitigation strategy to each client, besides the general recommendations for each vulnerability. Here are some common ones:

Mitigation strategy

  1. Require Current Password for Email Changes
    Always require users to enter their current password when changing their email address. This adds an extra layer of authentication and helps prevent account takeover.
  2. Enable Multi-Factor Authentication (MFA)
    Implement MFA for account changes. The most popular is 2-factor or 2-step Authentication. Even if an attacker gains access to email, they would need the second authentication factor to make any changes.
  3. Set up Email Change Notifications
    Send a notification to the user’s old email address when an email change is requested. This allows users to react quickly if the change is unauthorized.
  4. Adopt Monitoring and Alert services
    Don’t know how? Implement monitoring and alerting for suspicious activities, such as multiple email change attempts or changes from unusual locations on the UnderDefense MAXI MDR platform. Our monitoring solution uses real-time data and advanced analytics to continuously evaluate user behavior and detect anomalies indicative of potential security threats.
    Our platform promptly identifies and alerts these activities in their applications when such issues arise.
    Even if you are not an UnderDefense client, you can easily use our UnderDefense MAXI platform to forward alerts from your MDR, EDR, and SIEM solutions to Slack, Jira, Teams, Google Chat, or PagerDuty to reduce time to response—for free.
    For personalized 24/7 support, contact the UnderDefense dedicated Concierge team. They can help implement and enhance custom security strategies effectively to prevent account takeover and beyond.
  5. Educate teams
    Our team adopts a proactive security approach by regularly educating company members about essential security practices. These include but are not limited to recognizing phishing attempts and securing their devices. Our unique in-house Security Awareness Training program offers comprehensive resources to help your colleagues stay vigilant, informed, and, thus, prepared for different attack vectors. Fraud prevention is not a myth, and simple educational steps can guarantee that digital assets are safe. 

    By participating in this training, our clients’ employees better understand the importance of cybersecurity and learn practical steps to protect themselves and their organization from potential threats. 
MAXImize your email security today

Useful extra: Below is an excellent flowchart of the secure email-changing functionality. 

Secure email-changing functionality flowchart
Image source: OWASP:

Conclusion

Every scenario in this article comes from real-life situations. They illustrate the critical importance of starting small and securing email change functionalities. As you can see, seemingly minor oversights can lead to significant security breaches. As a result: compromising user data and eroding trust in the application. But we at UnderDefense know how to handle it. 

By implementing simple, robust security measures, such as requiring password re-entry for sensitive actions and monitoring suspicious activity, our developers and monitoring team safeguard user accounts and maintain the integrity of clients’ applications. 

Our experts are working on a detailed case study about the vulnerabilities leading to Account Takeover and how our Purple team contributed to account takeover prevention. Stay secure and proactive. Keep an eye out for more updates on our blog

Frequently Asked Questions

1. What causes account takeover?

Account Takeover (ATO) attacks occur when an unauthorized individual gains control of a user’s account. Several factors can contribute to the occurrence of account takeovers:

  • Weak or Reused Passwords, 
  • Phishing Attacks, 
  • Credential Stuffing, 
  • Social Engineering, 
  • Unsecured Email Change Processes, 
  • Malware and Keyloggers, 
  • Insufficient Two-Factor Authentication (2FA), 
  • Data Breaches, 
  • API Vulnerabilities, and others.
2. What types of organizations are ATO’s main targets?

Unfortunately, Account Takeover (ATO) attacks can target any organization, this includes businesses of all sizes and domains, from retail to financial services.

3. How does an account takeover happen?

Account Takeover (ATO) involves unauthorized access to a user’s account, typically achieved through step series that exploit vulnerabilities in security practices or user behavior.

4. What are the different types of attacks used in account takeovers?

We considered some application weaknesses in this article, but there could be more, depending on functionality. Phishing tricks victims into revealing information, while credential stuffing exploits reused passwords. Brute Force attempts numerous passwords quickly, often rotating through multiple IP addresses to avoid detection.

5. What are some common indicators of an account takeover?

The common signs include:

  • Sudden increases in IP addresses from unusual locations.
  • Frequent changes to shared account details.
  • Detection of unknown devices.
  • Multiple accounts are accessed from the same device.

In e-commerce, for instance, a spike in chargebacks can also indicate account takeovers.

5. What is Account Takeover Detection?

Account Takeover Detection refers to identifying and responding to signs of unauthorized access attempts on user accounts. This involves monitoring for suspicious activity, analyzing behavioral patterns, and using the tools of MDR platforms like UnderDefense MAXI to detect and mitigate potential breaches.

Ready to protect your company with Underdefense MDR?

Related Articles

See All Blog Posts