15 matches found
PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade
A pre-hijacking issue was discovered with the OAuth2 autolinking by Alardiians. In some situations, if an attacker knows the email address of the victim they can create and link an unverified PocketBase user in advance by authenticating with one of the OAuth2 app providers, e.g. "A". When the...
CVE-2025-4687
In Teltonika Networks Remote Management System RMS, it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account a...
CVE-2025-4687
In Teltonika Networks Remote Management System RMS, it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account a...
CVE-2025-4687 Account pre-hijacking through invite misuse
In Teltonika Networks Remote Management System RMS, it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge. The victims account a...
Teltonika Remote Management System 安全漏洞
Teltonika Remote Management System is a remote management system used by Teltonika to manage Teltonika products. A security vulnerability exists in Teltonika Remote Management System versions prior to 5.7, which stems from misuse of the invite feature and could lead to account pre-hijacking...
CVE-2025-24856
An issue was discovered in the oidc aka OpenID Connect Authentication extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: 1 an attacker can anticipate the...
CVE-2025-24856
An issue was discovered in the oidc aka OpenID Connect Authentication extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: 1 an attacker can anticipate the...
CVE-2025-24856
An issue was discovered in the oidc aka OpenID Connect Authentication extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: 1 an attacker can anticipate the...
CVE-2025-24856
TYPO3 OpenID Connect (oidc) extension vulnerability predates v4.0.0. The account linking logic allows a pre-hijacking attack: an attacker who can guess a user’s email, register a public frontend account with that email before the user’s first OIDC login, and rely on the IDP returning that email i...
CVE-2025-24856
An issue was discovered in the oidc aka OpenID Connect Authentication extension before 4.0.0 for TYPO3. The account linking logic allows a pre-hijacking attack, leading to Account Takeover. The attack can only be exploited if the following requirements are met: 1 an attacker can anticipate the...
Hackers can take over accounts you haven’t even created yet
Account hijacking has sadly become a regular, everyday occurrence. But when it comes to hijacking accounts before they are even created? Thats something youd never think possible—but it is. Two security researchers, Avinash Sudhodanan and Andrew Paverd, call this new class of attack a...
Learn How Hackers Can Hijack Your Online Accounts Even Before You Create Them
Malicious actors can gain unauthorized access to users' online accounts via a new technique called "account pre-hijacking," latest research has found. The attack takes aim at the account creation process that's ubiquitous in websites and other online platforms, enabling an adversary to perform a...
New Research Paper: Pre-hijacking Attacks on Web User Accounts
In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researche...
New Research Paper: Pre-hijacking Attacks on Web User Accounts
In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researche...
New Research Paper: Pre-hijacking Attacks on Web User Accounts
In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researche...