A user can sign up using any email address and then link Apple, Facebook, and Google social accounts to the account to backdoor access. If the real owner of the email address attempts to register, they will be forced to perform a password reset to gain access, but the app will not unlink the social accounts linked previously.
The process resembles the following:
- Register an account for [email protected] using a password login
- Link the account to an Apple or Facebook account
- Target attempts sign up and is forced to reset their password in order to gain access
- Target begins using account, configures connections to other apps
- Adversary authenticates to the target’s account using the Apple or Facebook account
