Slashdot Mirror

← Back to Stories (view on slashdot.org)

Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

Posted by Soulskill on from the at-least-they're-consistent dept.

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

2 of 125 comments (clear)

  1. Re:is this really an exploit? by Mike+Buddha · · Score: 4, Funny

    that's like saying, "hey, I can login using your account as long as I steal your password first."

    That's a known exploit that Micro$oft has known about and REFUSED to fix for years!

    --
    by Mike Buddha -- Someday the mountain might get him, but the law never will.
  2. Re:What? by gooman · · Score: 4, Funny

    And the person with the cookie can still use your account after you log off.

    So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking the attacker.

    So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?

    Please DO NOT log out of your Gmail account.

    It makes you more difficult to track.

    Sincerely,

    Your Government

    --
    "Kittens give Morbo gas!"