You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the hackers signs up with [email protected] via the normal email/pass way
the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)
the user, at some time in the future, goes to the site and signs up (they think) by clicking ‘sign up with Google’
the site now merges the former account with the latter and signs in the user; because signing in with gmail, there is no email link that has to be clicked
The site’s ( erroneous ) db entry is now a validated (via sso) account with a manual password; the hacker can now login with the password they set in the first place while the real user logs in via the Google sso link.
The text was updated successfully, but these errors were encountered:
Account Pre-Hijacking
the hackers signs up with [email protected] via the normal email/pass way
the email arrives in xxxx their mailbox but it is ignored (might even be flagged as something they don’t read anyway because, for now, it’s an unknown service)
the user, at some time in the future, goes to the site and signs up (they think) by clicking ‘sign up with Google’
the site now merges the former account with the latter and signs in the user; because signing in with gmail, there is no email link that has to be clicked
The site’s ( erroneous ) db entry is now a validated (via sso) account with a manual password; the hacker can now login with the password they set in the first place while the real user logs in via the Google sso link.
The text was updated successfully, but these errors were encountered: