Slashdot Mirror

← Back to Stories (view on slashdot.org)

Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

Posted by Soulskill on from the at-least-they're-consistent dept.

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

3 of 125 comments (clear)

  1. Re:They know how cookies work right? by Cramer · · Score: 5, Informative

    Indeed. Except in this case the "logout" function simply instructs the browser to forget that cookie. Any machine that still has that cookie is still logged in. A logout should not only remove the cookie, but invalidate it's contents. Changing your password should invalidate every login immediately. Additionally, each "login" should create a different value.

    If (when) someone gets ahold of that cookie, they will have access to the account until the thing expires (if ever.) You have no way to get them out of your account; a logout won't do it, changing your password won't do it. (not that they knew your password in the first place)

  2. any NSA backdoor in FOSS yet? I've studied Firefox by raymorris · · Score: 5, Interesting

    Has anyone studied the Firefox code, you ask. Yep, I have. I happen to be a security professional too. Have all those people who used Firefox as the basis for their browser studied the hell out of it? Yep.

    We know Microsoft is full of NSA backdoors. Has any government backdoor EVER been found in any FOSS, at any time. Nope.

    The insistence on continuing to believe the ridiculous out of fandom is rather curious. Certainly on some level you understand your "beliefs" are laughable, but you're just completely incapable of changing your thoughts, of learning.

  3. Bitlocker cracked since at least 2008 by raymorris · · Score: 5, Informative

    There are three modes of operation possible with Bitlocker. The most secure has had an exploit publicly known for five years. In that most secure mode, reading the disk is inconvenient, but entirely possible even for independent security people like myself. For a nation-state, it's trivial.