Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Twitter, Linkedin, Yahoo! and Hotmail accounts are open to hijacking thanks to a flaw that allows cookies to be stolen and reused, according to a researcher.
The above web applications fail to assign new session identities, which allows for a session fixation attack in which the accounts can be hijacked.
An attacker would need to intercept cookies while the user is logged into the service, as the cookies expire on log-out - with the exception of LinkedIn which kept its cookies active for three months, according to researcher Rishi Narang.
Attackers in possession of the right cookie would have unfettered access to accounts. Password changes would not prevent access.
SC replayed Narang's proof of concept steps and was able to access various Twitter accounts by inserting the respective alphanumeric auth_token into locally-stored Twitter cookies using the Cookie Manager browser extension.
Microsoft Outlook and Live services along with Yahoo were also affected, Narang said.
Twitter, Microsoft and Yahoo used HTTPS to help mitigate the risk of the cookies being remotely intercepted, but Narang said that was not enough.
"To me it is a compensatory control, it is not a fix for a session management vulnerability," Narang said.
"There are examples where cookies can be accessible to hijack authenticated sessions. And these cookies are days, sometimes months old. As a result, someone can successfully access accounts that belong to individuals from different global locations."
Director of Sydney-based penetration testing firm HackLabs, Chris Gatford, was surprised such large companies would leave the vulnerability exposed.
"It's web app security 101," Gatford said.
He said other attack techniques would be required in order to swipe the cookies and gain account access from a remote location.
"You could use some sort of cross site scripting attack if you did not have physical access to the machine".
During penetration tests Gatford found many organisations were exposed to the vulnerability and failed to fix it after becoming aware of the problem. He said a quick fix for some complex frameworks could be to utilise two cookies for the login process.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.