Twitter, Linkedin, Yahoo! and Hotmail accounts are open to hijacking thanks to a flaw that allows cookies to be stolen and reused, according to a researcher. The above web applications fail to assign new session identities, which allows for a session fixation attack in which the accounts can be hijacked.
An attacker would need to intercept cookies while the user is logged into the service, as the cookies expire on log-out – with the exception of LinkedIn which kept its cookies active for three months, according to researcher Rishi Narang.
Attackers in possession of the right cookie would have unfettered access to accounts. Password changes would not prevent access.
SC replayed Narang’s proof of concept steps and was able to access various Twitter accounts by inserting the respective alphanumeric auth_token into locally-stored Twitter cookies using the Cookie Manager browser extension.
It is understood Twitter knew of the vulnerability.
Microsoft Outlook and Live services along with Yahoo were also affected, Narang said.
Twitter, Microsoft and Yahoo used HTTPS to help mitigate the risk of the cookies being remotely intercepted, but Narang said that was not enough.
“To me it is a compensatory control, it is not a fix for a session management vulnerability,” Narang said.
“There are examples where cookies can be accessible to hijack authenticated sessions. And these cookies are days, sometimes months old. As a result, someone can successfully access accounts that belong to individuals from different global locations.”
Director of Sydney-based penetration testing firm HackLabs, Chris Gatford, was surprised such large companies would leave the vulnerability exposed.
“It’s web app security 101,” Gatford said.
He said other attack techniques would be required in order to swipe the cookies and gain account access from a remote location.
“You could use some sort of cross site scripting attack if you did not have physical access to the machine”.
During penetration tests Gatford found many organisations were exposed to the vulnerability and failed to fix it after becoming aware of the problem. He said a quick fix for some complex frameworks could be to utilise two cookies for the login process.
Source: SCMagazine Australia, Slashdot
More Stories
Choosing a Portable All-Band Radio for Emergencies
After a recent conversation among friends over choosing a portable all-band radio suitable for emergencies....
theHamStop.com Introduces theCleatV
theHamStop.com has a new item in the shop just in time for 2024 Field Day!!. The announcement from theHamStop.com...
theCleatV and theSkyHookx3x8 are available
theHamStop.com has been at it AGAIN!! with 2 new products added to their inventory. The announcement from theHamStop.com of the...
E-beam atomic-scale 3-D ‘sculpting’ could enable new quantum nanodevices
koi phys.org/news/2020-09-e-beam-atomic-scale-d-sculpting-enable.amp
Facebook Paying Social Media Users to Suspend Accounts Ahead of November Elections
Facebook is offering money to those who are willing to stop using Facebook and Instagram in the weeks before the...
Mozilla lays off 250
Mozilla today announced a major restructuring of its commercial arm, the Mozilla Corporation, that will see about 250 employees lose...