Slashdot Mirror

← Back to Stories (view on slashdot.org)

Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

Posted by Soulskill on from the at-least-they're-consistent dept.

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

8 of 125 comments (clear)

  1. They know how cookies work right? by jmauro · · Score: 4, Insightful

    It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.

    1. Re:They know how cookies work right? by bdwebb · · Score: 3, Insightful

      It may be a website problem but it becomes a consumer problem, especially when the method of payment stored on an account can potentially be utilized by re-using cookies.

    2. Re:They know how cookies work right? by bdwebb · · Score: 1, Insightful

      WTF are you talking about? Your logic is that because of the functions of Malware is that many Malware programs install keystroke loggers, and because the AC post that I replied to mentioned keyloggers (even though he did not identify Malware), this somehow somehow refutes or invalidates my point??

      Since you obviously don't know how this works, Malware has access to the user's machine; however, in most cases the author or distributor of the Malware DOES NOT HAVE ACCESS TO THE MACHINE (in other words, the 'You' that the OP referenced). The OP, which is most likely you posting AC, identified that this is not a vulnerability because you can already access the machine and install a keylogger to steal the password. I did not say that this was not possible - to make sure you understand, I will explain slowly. My statement means that Malware designed specifically to obtain cookies that has been installed can forward that information to an unauthorized destination and therefore this cookie can be taken advantage of to gain access to sensitive information or to ordering interfaces with stored credit cards...which is definitely a vulnerability completely independent of the physical or remote access style vulnerability that the OP referenced.

      The vulnerability in question is the fact that a cookie can be copy-fucking-pasted and used as though the new location is the authorized, authenticated user with stored credit card information. I hope you are extremely high because your comment is probably one of the most idiotic that I've seen since I registered for Slashdot.

  2. Re:What? by uglyduckling · · Score: 4, Insightful

    No. When you login, your session cookie should have an ID unique to that browser session. When you logout, it should cancel that ID at the server side, so even if the cookie persists it would be invalid. It seems like many websites are implementing this functionality by just deleting the session cookie when you logout. That's a problem.

  3. Re: Let me get this straight by chill · · Score: 3, Insightful

    No, it isn't. If you explicitly click "log out" it is supposed to log you out and you have to explicitly log back in.

    "Remember me" is only supposed to keep you signed in if you don't explicitly log out, such as by just leaving the page or closing the browser.

    Otherwise, how do you actually log out of a session?

    --
    Learning HOW to think is more important than learning WHAT to think.
  4. Snowden leak: Microsoft added Outlook.com backdoor by Anonymous Coward · · Score: 2, Insightful

    Not an exploit, just business as usual.

    NSA praises Redmond for 'collaborative teamwork'
    There are red faces in Redmond after Edward Snowden released a new batch of documents from the NSA's Special Source Operations (SSO) division covering Microsoft's involvement in allowing backdoor access to its software to the NSA and others.

    Documents seen by The Guardian detail how the NSA became concerned when Microsoft started testing Outlook.com, and asked for access. In five months Microsoft and the FBI created a workaround that gives the NSA access to encrypted chats on Outlook.com. The system went live in December last year – two months before Outlook.com's commercial launch.

    http://www.theregister.co.uk/2013/07/11/snowden_leak_shows_microsoft_added_outlookencryption_backdoor_for_feds/

  5. Re:2013 by hairyfeet · · Score: 2, Insightful

    Good lord are we REALLY gonna have to explain on every. damned. security. story. how having the source isn't magic? The "many eyes" myth is just that and just because a program or website is FOSS doesn't make it more secure? hell watch how easy it is to blow "many eyes" out of the water, ready?

    Now we ALL know that Slashdot is one of the most FOSS loving websites there is,right? That while the global numbers of Linux users are around 0.9% we could easily hit double digits here, right? this is like Geeker heaven, yes? Okay here goes...show of hands, how many of you have done an extensive code audit on Libre Office? Gimp? Firefox? Anyone? Bueller?

    NOW do you understand why simply having source means jack and squat? For many eyes to work IRL you'd have to have 1.- Enough guys with the requisite skills and experience to even SPOT the flaws, see the Obfuscated C contest as to why THAT is important, 2.- Those guys have nothing better to do than to scan and debug YOUR code all day, which considering how in demand highly skilled programmers are? Not very damned likely, and finally 3.- Have enough of them to keep up with the changes that when you are talking about FOSS is practically a torrent. hell I bet it would take a good year to do an extensive code audit of a large program like Libre office...how many releases did LO have last year? See the problem yet?

    Having the code fixes ONE problem and one problem alone, and that is old versions being abandoned. If you have the code AND you have the skills OR the money to hire your own dev team than and ONLY then will that code be a life saver, the rest of the time, and especially when we are talking about security, which involves not just the program itself but the underlying OS and subsystems? yeah...not so much. Frankly if even 3% of the code in your average distro gets seen by anybody but the guys running the projects I'd frankly be amazed but thanks to the "many eyes" myth people think because something CAN happen it HAS happened. Well by that logic because theoretically an immortal CAN be born then there are immortals running the earth, but i really don't think I have to worry about a 400 year old Scotsman with a sword coming at me in the parking lot, do you?

    --
    ACs don't waste your time replying, your posts are never seen by me.
  6. Re:2013 by amiga3D · · Score: 3, Insightful

    You ignore one obvious truth. With FOSS no matter how unlikely someone will look at the code it actually is a possibility that it will happen. With proprietary software there is no chance in hell. None. Nada. Zip! All kinds of nastiness hidden away and everyone knows their little nasty secrets are secure behind closed source. Proprietary software guarantees this kind of stuff will without any doubt happen. FOSS gives you a chance at least.