Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

They know how cookies work right?

[jmauro]

It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.

Re:They know how cookies work right?

[Antony+T+Curtis]

It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.

The complaint is that the expectation of "logging off" should invalidate existing cookies.

Re:They know how cookies work right?

Yahoo mail auth cookies are stolen by ads on a regular basis and used to send spam as an authorized Yahoo user. It's been going on for a long time and still happens every day.

Re:They know how cookies work right?

[d00m.wizard]

Again, the issue is that the cookies don't seem to be tied to a unique session, and thus can be used by non-authorized parties if they are able to grab an instance of your session.

Re:They know how cookies work right?

[vux984]

Isn't that the websites problem?

Yes it is, that's why they reported it as a problem with Office 365, Netflix, Amazon, etc you know... websites.

Re:They know how cookies work right?

[Cramer]

Indeed. Except in this case the "logout" function simply instructs the browser to forget that cookie. Any machine that still has that cookie is still logged in. A logout should not only remove the cookie, but invalidate it's contents. Changing your password should invalidate every login immediately. Additionally, each "login" should create a different value.

If (when) someone gets ahold of that cookie, they will have access to the account until the thing expires (if ever.) You have no way to get them out of your account; a logout won't do it, changing your password won't do it. (not that they knew your password in the first place)

Re:They know how cookies work right?

[bdwebb]

It may be a website problem but it becomes a consumer problem, especially when the method of payment stored on an account can potentially be utilized by re-using cookies.

Re:They know how cookies work right?

[Narcocide]

I don't know if this is true, but I get a LOT of spam from legit Yahoo servers, some of it occasionally from accounts of people I know who can't seem to keep their password secret, so that does lend a lot of credibility to this. I actually get quite a lot of spam (usually ~300 items per day to my main account alone) and with the exception of only Yahoo, HSBC and DNB, all of the rest has plainly come from spoofed/forged email servers.

Re:is this really an exploit?

[Mike+Buddha]

that's like saying, "hey, I can login using your account as long as I steal your password first."

That's a known exploit that Micro$oft has known about and REFUSED to fix for years!

Re:What?

[amorsen]

So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?

If you log in to GMail twice, you get two different cookies. In a sane world, when you hit "logout", the specific cookie gets invalidated and you have to log in again on that device if you want back in. Hotmail (seemingly unlike GMail) does not exist in a sane world.

Re:What?

[uglyduckling]

No. When you login, your session cookie should have an ID unique to that browser session. When you logout, it should cancel that ID at the server side, so even if the cookie persists it would be invalid. It seems like many websites are implementing this functionality by just deleting the session cookie when you logout. That's a problem.

Re:What?

[gooman]

And the person with the cookie can still use your account after you log off.

So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking the attacker.

So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?

Please DO NOT log out of your Gmail account.

It makes you more difficult to track.

Sincerely,

Your Government

Re: Let me get this straight

[chill]

No, it isn't. If you explicitly click "log out" it is supposed to log you out and you have to explicitly log back in.

"Remember me" is only supposed to keep you signed in if you don't explicitly log out, such as by just leaving the page or closing the browser.

Otherwise, how do you actually log out of a session?

Re:What has this got to do with Microsoft?

[Spykk]

There aren't many situations where this vulnerability is relevant, but here is one:

You are logged into your Office 365 account in a coffee shop with unencrypted wifi. You happen to glance at another patrons computer only to realize that he has hijacked your session by sniffing the unencrypted session cookie that you are sending to the server every time you load a page! You quickly hit the logout button expecting your session to be invalidated, but the logout button only deleted the cookie local to your device. The guy who hijacked your session is still logged in and proceeds to send an email to your boss calling him a "nub".

Had Microsoft's service invalidated your session token on the server when you hit logout this disaster could have been avoided.

any NSA backdoor in FOSS yet? I've studied Firefox

[raymorris]

Has anyone studied the Firefox code, you ask. Yep, I have. I happen to be a security professional too. Have all those people who used Firefox as the basis for their browser studied the hell out of it? Yep.

We know Microsoft is full of NSA backdoors. Has any government backdoor EVER been found in any FOSS, at any time. Nope.

The insistence on continuing to believe the ridiculous out of fandom is rather curious. Certainly on some level you understand your "beliefs" are laughable, but you're just completely incapable of changing your thoughts, of learning.

Re:2013

[amiga3D]

You ignore one obvious truth. With FOSS no matter how unlikely someone will look at the code it actually is a possibility that it will happen. With proprietary software there is no chance in hell. None. Nada. Zip! All kinds of nastiness hidden away and everyone knows their little nasty secrets are secure behind closed source. Proprietary software guarantees this kind of stuff will without any doubt happen. FOSS gives you a chance at least.

Bitlocker cracked since at least 2008

[raymorris]

There are three modes of operation possible with Bitlocker. The most secure has had an exploit publicly known for five years. In that most secure mode, reading the disk is inconvenient, but entirely possible even for independent security people like myself. For a nation-state, it's trivial.

Re:2013

[oreaq]

The other big advantage with FOSS is that the change and commit logs are publicly accessible. If you introduce a backdoor in a FOSS product you can't hide behind a corporation. Your own name is tied to that backdoor. This is a strong disincentive; decades of social, economic, and criminal studies prove that.