Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

← Back to Stories (view on slashdot.org)

Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

Posted by Soulskill on Tuesday July 16, 2013 @10:33AM from the at-least-they're-consistent dept.

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

32 of 125 comments (clear)

Min score:

Reason:

Sort:

They know how cookies work right? by jmauro · 2013-07-16 10:39 · Score: 4, Insightful

It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.
1. Re:They know how cookies work right? by Antony+T+Curtis · 2013-07-16 10:44 · Score: 4, Informative
  
  It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.
  The complaint is that the expectation of "logging off" should invalidate existing cookies.
  
  --
  No sig. Move along - nothing to see here.
2. Re:They know how cookies work right? by Anonymous Coward · 2013-07-16 10:45 · Score: 3, Interesting
  
  Yahoo mail auth cookies are stolen by ads on a regular basis and used to send spam as an authorized Yahoo user. It's been going on for a long time and still happens every day.
3. Re:They know how cookies work right? by d00m.wizard · 2013-07-16 10:46 · Score: 4, Informative
  
  Again, the issue is that the cookies don't seem to be tied to a unique session, and thus can be used by non-authorized parties if they are able to grab an instance of your session.
  
  --
  * A world imprisoned screams with pain There are no leaders you can blame Your avarice destroyed your sphere And the
4. Re:They know how cookies work right? by vux984 · 2013-07-16 11:06 · Score: 4, Informative
  
  Isn't that the websites problem?
  Yes it is, that's why they reported it as a problem with Office 365, Netflix, Amazon, etc you know... websites.
5. Re:They know how cookies work right? by Cramer · 2013-07-16 11:13 · Score: 5, Informative
  
  Indeed. Except in this case the "logout" function simply instructs the browser to forget that cookie. Any machine that still has that cookie is still logged in. A logout should not only remove the cookie, but invalidate it's contents. Changing your password should invalidate every login immediately. Additionally, each "login" should create a different value.
  If (when) someone gets ahold of that cookie, they will have access to the account until the thing expires (if ever.) You have no way to get them out of your account; a logout won't do it, changing your password won't do it. (not that they knew your password in the first place)
6. Re:They know how cookies work right? by bdwebb · 2013-07-16 11:20 · Score: 3, Insightful
  
  It may be a website problem but it becomes a consumer problem, especially when the method of payment stored on an account can potentially be utilized by re-using cookies.
7. Re:They know how cookies work right? by Narcocide · 2013-07-16 12:30 · Score: 3, Interesting
  
  I don't know if this is true, but I get a LOT of spam from legit Yahoo servers, some of it occasionally from accounts of people I know who can't seem to keep their password secret, so that does lend a lot of credibility to this. I actually get quite a lot of spam (usually ~300 items per day to my main account alone) and with the exception of only Yahoo, HSBC and DNB, all of the rest has plainly come from spoofed/forged email servers.
8. Re:They know how cookies work right? by rbayer · 2013-07-16 12:32 · Score: 2
  
  The complaint is that the expectation of "logging off" should invalidate existing cookies.
  Yes, but for what added benefit? If someone else has enough access privileges to get cookies from my browser session before I click logout, then they almost certainly have enough privileges to just install a key logger and steal my username/password directly. Same for if they're able to install a trojan browser that doesn't actually delete cookies when instructed to.
9. Re:They know how cookies work right? by guruevi · 2013-07-16 13:34 · Score: 2
  
  Not necessarily. What if you simply get your media carrier stolen. You can't derive passwords from it, you can derive a history and cookies however which if you simply copy them to a similar system gives you straight back access to this.
  Also, if someone intercepts the cookies or does a HTTPS MITM redirect, the malicious site could simply ask for the cookies for said domain and then still forward you to the legitimate HTTPS domain.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
10. Re:They know how cookies work right? by Rockoon · 2013-07-16 15:59 · Score: 2
  
  The OP, which is most likely you posting AC
  Your keen insight into things continues to undermine you.
  
  --
  "His name was James Damore."
Let me get this straight by FalleStar · 2013-07-16 10:41 · Score: 2

If a user has a website remember their login via a cookie, and I make a copy of that cookie and put it into my browser, I will be logged in as that user? I am shocked...
It doesn't take much to be considered an "hacking professor" now days, does it?
1. Re:Let me get this straight by d00m.wizard · 2013-07-16 10:45 · Score: 2
  
  The issue here, is people are expecting their sessions to be tied to a unique cookie for authentication, and this isn't the case.
  
  --
  * A world imprisoned screams with pain There are no leaders you can blame Your avarice destroyed your sphere And the
2. Re:Let me get this straight by uglyduckling · 2013-07-16 10:52 · Score: 2
  
  Not if the "remember me" option has been clicked, that's the point.
3. Re:Let me get this straight by Anonymous Coward · 2013-07-16 10:55 · Score: 2, Interesting
  
  You can have multiple sessions per cookie. This is how you are able to go back to a site when you've asked it to Remember your login and be logged in automatically. No one in their right mind is going to have a server keep a session open occupying resources for days at a time. Sessions are pretty temporary, whereas cookies for automatic login usually don't expire for a couple of weeks.
  The more likely issue is that the ID of the cookie should be tracked in a database, and logoff should invalidate it so that it will not be accepted in the future.
4. Re: Let me get this straight by chill · 2013-07-16 11:24 · Score: 3, Insightful
  
  No, it isn't. If you explicitly click "log out" it is supposed to log you out and you have to explicitly log back in.
  "Remember me" is only supposed to keep you signed in if you don't explicitly log out, such as by just leaving the page or closing the browser.
  Otherwise, how do you actually log out of a session?
  
  --
  Learning HOW to think is more important than learning WHAT to think.
5. Re:Let me get this straight by Yaur · 2013-07-16 11:26 · Score: 2
  
  "Keeping a session open" consumes in the neighborhood of 20-40 bytes in a database... not significant by any stretch of the imagination. The way we do it is that the cookie maps to a session Id and "logout" removes the cookie and closes the session in the database.
Re:is this really an exploit? by Mike+Buddha · 2013-07-16 10:46 · Score: 4, Funny

that's like saying, "hey, I can login using your account as long as I steal your password first."
That's a known exploit that Micro$oft has known about and REFUSED to fix for years!

--
by Mike Buddha -- Someday the mountain might get him, but the law never will.
OWASP Save Us! by Qzukk · 2013-07-16 10:51 · Score: 2

Can someone please come up with a "best practices" for this? Say "This is how you log a browser user in, this is how to check if a given browser is a logged in user, this is how to log out a user?" (That last one is important, no browser provides a logout button for Basic Authentication) Is storing everything server side in a session (referenced by a session cookie) the best way to do this? What about mobile users, is their IP static throughout a session or does their IP change if they change cells?
The Authentication Cheat Sheet is a good start, but basically cuts off at "use SSL, require long passwords, and make authentication someone else's problem with single-sign-on." Does anyone really know or have they merely amassed years of experience doing what they think is right?

--
If I have been able to see further than others, it is because I bought a pair of binoculars.
1. Re:OWASP Save Us! by aztracker1 · 2013-07-16 11:20 · Score: 2
  
  Three potential cookies...
  
  Automatic Login / Remember Me: Ideally only a token/key to a server-side record. Said record should probably also have your useragent string (for spoofing detection. This is used on the login screen to auto-log you in, if not already logged in, and create a new authenticated session value. If you explicitely logout, this should be deleted on the client and the server.
  
  Session Token/Cookie: A token used for a single session, you may want to also correlate this with the user's agent, as well as their IP address, depending on your needs. If you logout, this should be deleted and the server-side record expunged. This should be associated with server-side records and temporary information necessary.
  
  Authentication Cookie: A server-side encrypted cookie that is used to store your username and roles, it should also contain your current session token. This is to reduce the need for potentially expensive rules lookups and to validate access early on. You should also check against the current session... a non-match should invalidate said cookie. Any kind of logout should delete this cookie.
  
  By using this combination of cookies you can have additional validation constraints in place. The remember-me is only really used from the login screen as an auto-login and redirect flag. This should be checked against a database. The session cookie is again only a lookup id, so that you can access/check other information... A separate Authentication Cookie allows you to keep some information in the cookie, and it should be checked and validated against the active session id, which has its' own checks.
  
  A logout should remove all three cookies. The cookies should be unique per system... a 1 - many relationship of users to autologin / session cookies in the database. You also may want to limit 5 sessions/autologin to a user, deactivating any but the 5 most recent on use. You may also want to check last use of autologin... if a cookie hasn't been used in over a week, then it's invalid... if its more than say 3-4 weeks old, it's in valid. ... for session cookies, that timing should be less, depending on your needs.
  
  --
  Michael J. Ryan - tracker1.info
Re:What? by amorsen · 2013-07-16 10:51 · Score: 3, Interesting

So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?
If you log in to GMail twice, you get two different cookies. In a sane world, when you hit "logout", the specific cookie gets invalidated and you have to log in again on that device if you want back in. Hotmail (seemingly unlike GMail) does not exist in a sane world.

--
Finally! A year of moderation! Ready for 2019?
Re:What? by uglyduckling · 2013-07-16 10:54 · Score: 4, Insightful

No. When you login, your session cookie should have an ID unique to that browser session. When you logout, it should cancel that ID at the server side, so even if the cookie persists it would be invalid. It seems like many websites are implementing this functionality by just deleting the session cookie when you logout. That's a problem.
Re:What? by gooman · 2013-07-16 11:03 · Score: 4, Funny

And the person with the cookie can still use your account after you log off.
So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking the attacker.
So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?
Please DO NOT log out of your Gmail account.
It makes you more difficult to track.
Sincerely,
Your Government

--
"Kittens give Morbo gas!"
What has this got to do with Microsoft? by black3d · 2013-07-16 11:06 · Score: 2, Interesting

Is this entire article some kind of joke? If you have physical access to a machine and are able to "steal" the cookies from their logged in browser session, then on another machine replicate that browser session and utilize that same logged in cookie so that the site can't tell the difference between the machine you HAVE PHYSICAL LOGGED-IN ACCESS TO and the replicated session, so you're able to continue using the site? Isn't this behaviour "as intended"?

This would only be a "flaw" if another site could remotely copy my cookies and continue my session 'as me'. (Well, actually, I have Java installed, so they probably can *cough*). Otherwise, it's exactly how a logged in cookie is meant to work. The only tacit connection to "Microsoft" seems to be that "Microsoft, like some other companies.. have websites on the internet."

Actually, the fact that Microsoft requires re-authentication to make any account changes is actually a good thing. The article makes some excuse about "what's the use of that if they're already able to read the emails with the logged in cookie", to which I counter - YES, OR.. YOU KNOW.. READING THE EMAILS ON THE LOGGED IN SESSION YOU ALREADY HAVE ON THE ORIGINAL MACHINE IN FRONT OF YOU.

--
"The true measure of a person is how they act when they know they won't get caught." - DSRilk
1. Re:What has this got to do with Microsoft? by Spykk · 2013-07-16 14:59 · Score: 4, Informative
  
  There aren't many situations where this vulnerability is relevant, but here is one:
  
  You are logged into your Office 365 account in a coffee shop with unencrypted wifi. You happen to glance at another patrons computer only to realize that he has hijacked your session by sniffing the unencrypted session cookie that you are sending to the server every time you load a page! You quickly hit the logout button expecting your session to be invalidated, but the logout button only deleted the cookie local to your device. The guy who hijacked your session is still logged in and proceeds to send an email to your boss calling him a "nub".
  
  Had Microsoft's service invalidated your session token on the server when you hit logout this disaster could have been avoided.
Snowden leak: Microsoft added Outlook.com backdoor by Anonymous Coward · 2013-07-16 12:18 · Score: 2, Insightful

Not an exploit, just business as usual.
NSA praises Redmond for 'collaborative teamwork'
There are red faces in Redmond after Edward Snowden released a new batch of documents from the NSA's Special Source Operations (SSO) division covering Microsoft's involvement in allowing backdoor access to its software to the NSA and others.
Documents seen by The Guardian detail how the NSA became concerned when Microsoft started testing Outlook.com, and asked for access. In five months Microsoft and the FBI created a workaround that gives the NSA access to encrypted chats on Outlook.com. The system went live in December last year – two months before Outlook.com's commercial launch.
http://www.theregister.co.uk/2013/07/11/snowden_leak_shows_microsoft_added_outlookencryption_backdoor_for_feds/
Re:2013 by hairyfeet · 2013-07-16 14:11 · Score: 2, Insightful

Good lord are we REALLY gonna have to explain on every. damned. security. story. how having the source isn't magic? The "many eyes" myth is just that and just because a program or website is FOSS doesn't make it more secure? hell watch how easy it is to blow "many eyes" out of the water, ready?
Now we ALL know that Slashdot is one of the most FOSS loving websites there is,right? That while the global numbers of Linux users are around 0.9% we could easily hit double digits here, right? this is like Geeker heaven, yes? Okay here goes...show of hands, how many of you have done an extensive code audit on Libre Office? Gimp? Firefox? Anyone? Bueller?
NOW do you understand why simply having source means jack and squat? For many eyes to work IRL you'd have to have 1.- Enough guys with the requisite skills and experience to even SPOT the flaws, see the Obfuscated C contest as to why THAT is important, 2.- Those guys have nothing better to do than to scan and debug YOUR code all day, which considering how in demand highly skilled programmers are? Not very damned likely, and finally 3.- Have enough of them to keep up with the changes that when you are talking about FOSS is practically a torrent. hell I bet it would take a good year to do an extensive code audit of a large program like Libre office...how many releases did LO have last year? See the problem yet?
Having the code fixes ONE problem and one problem alone, and that is old versions being abandoned. If you have the code AND you have the skills OR the money to hire your own dev team than and ONLY then will that code be a life saver, the rest of the time, and especially when we are talking about security, which involves not just the program itself but the underlying OS and subsystems? yeah...not so much. Frankly if even 3% of the code in your average distro gets seen by anybody but the guys running the projects I'd frankly be amazed but thanks to the "many eyes" myth people think because something CAN happen it HAS happened. Well by that logic because theoretically an immortal CAN be born then there are immortals running the earth, but i really don't think I have to worry about a 400 year old Scotsman with a sword coming at me in the parking lot, do you?

--
ACs don't waste your time replying, your posts are never seen by me.
any NSA backdoor in FOSS yet? I've studied Firefox by raymorris · 2013-07-16 15:17 · Score: 5, Interesting

Has anyone studied the Firefox code, you ask. Yep, I have. I happen to be a security professional too. Have all those people who used Firefox as the basis for their browser studied the hell out of it? Yep.

We know Microsoft is full of NSA backdoors. Has any government backdoor EVER been found in any FOSS, at any time. Nope.

The insistence on continuing to believe the ridiculous out of fandom is rather curious. Certainly on some level you understand your "beliefs" are laughable, but you're just completely incapable of changing your thoughts, of learning.
Re:2013 by amiga3D · 2013-07-16 15:40 · Score: 3, Insightful

You ignore one obvious truth. With FOSS no matter how unlikely someone will look at the code it actually is a possibility that it will happen. With proprietary software there is no chance in hell. None. Nada. Zip! All kinds of nastiness hidden away and everyone knows their little nasty secrets are secure behind closed source. Proprietary software guarantees this kind of stuff will without any doubt happen. FOSS gives you a chance at least.
yeah, I've been R&Ding for years by raymorris · 2013-07-16 16:11 · Score: 2

> and make authentication someone else's problem with single-signon." Does anyone really know or have they merely amassed years of experience doing what they think is right?

I should know. I spent 17 years keeping ahead of the bad guys and ahead of the competition, developing a security system used by tens of thousands of sites. The thing is, there are a lot of ways to screw up authentication, and a lot of ways to screw up authorization. Professionals making security products screwed it up all the time, and we made two significant errors. We're arguably the best in the business, and still we made mistakes.

Therefore, "make it someone else's problem" isn't a bad answer, if someone else knows what they are doing. I'm not very careful with many things, but I'm darn careful with two - online authentication and explosives. I can answer any specific questions, but to try to cover the topic in a Slashdot post would be a lot like a post on how to make fireworks. There's not time or space to cover the topic properly. Feel free to post or email specific questions, though.
Bitlocker cracked since at least 2008 by raymorris · 2013-07-16 16:24 · Score: 5, Informative

There are three modes of operation possible with Bitlocker. The most secure has had an exploit publicly known for five years. In that most secure mode, reading the disk is inconvenient, but entirely possible even for independent security people like myself. For a nation-state, it's trivial.
Re:2013 by oreaq · 2013-07-16 17:32 · Score: 3, Interesting

The other big advantage with FOSS is that the change and commit logs are publicly accessible. If you introduce a backdoor in a FOSS product you can't hide behind a corporation. Your own name is tied to that backdoor. This is a strong disincentive; decades of social, economic, and criminal studies prove that.