Account Pre-Hijacking
-
the hackers signs up with xxxx@gmail.com via the normal email/pass way
-
the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)
-
the user, at some time in the future, goes to the site and signs up (they think) by clicking ‘sign up with Google’
-
the site now merges the former account with the latter and signs in the user; because signing in with gmail, there is no email link that has to be clicked
The site’s ( erroneous ) db entry is now a validated (via sso) account with a manual password; the hacker can now login with the password they set in the first place while the real user logs in via the Google sso link.
Account Pre-Hijacking
the hackers signs up with xxxx@gmail.com via the normal email/pass way
the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)
the user, at some time in the future, goes to the site and signs up (they think) by clicking ‘sign up with Google’
the site now merges the former account with the latter and signs in the user; because signing in with gmail, there is no email link that has to be clicked
The site’s ( erroneous ) db entry is now a validated (via sso) account with a manual password; the hacker can now login with the password they set in the first place while the real user logs in via the Google sso link.