Slashdot Mirror

← Back to Stories (view on slashdot.org)

Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

Posted by Soulskill on from the at-least-they're-consistent dept.

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

5 of 125 comments (clear)

  1. They know how cookies work right? by jmauro · · Score: 4, Insightful

    It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.

    1. Re:They know how cookies work right? by bdwebb · · Score: 3, Insightful

      It may be a website problem but it becomes a consumer problem, especially when the method of payment stored on an account can potentially be utilized by re-using cookies.

  2. Re:What? by uglyduckling · · Score: 4, Insightful

    No. When you login, your session cookie should have an ID unique to that browser session. When you logout, it should cancel that ID at the server side, so even if the cookie persists it would be invalid. It seems like many websites are implementing this functionality by just deleting the session cookie when you logout. That's a problem.

  3. Re: Let me get this straight by chill · · Score: 3, Insightful

    No, it isn't. If you explicitly click "log out" it is supposed to log you out and you have to explicitly log back in.

    "Remember me" is only supposed to keep you signed in if you don't explicitly log out, such as by just leaving the page or closing the browser.

    Otherwise, how do you actually log out of a session?

    --
    Learning HOW to think is more important than learning WHAT to think.
  4. Re:2013 by amiga3D · · Score: 3, Insightful

    You ignore one obvious truth. With FOSS no matter how unlikely someone will look at the code it actually is a possibility that it will happen. With proprietary software there is no chance in hell. None. Nada. Zip! All kinds of nastiness hidden away and everyone knows their little nasty secrets are secure behind closed source. Proprietary software guarantees this kind of stuff will without any doubt happen. FOSS gives you a chance at least.