A researcher has discovered a flaw in the way cookies—the tiny files websites send to your browser to store information about you—are used by Twitter, LinkedIn, Microsoft Outlook, Microsoft Live and Yahoo. That flaw makes those services vulnerable to hijacking.
Rishi Narang discovered that cookies for those services can be “stolen and reused,” according to Australia’s SC Magazine, in what is called a “session fixation” attack.
A cookie is the code that is used to identify a given user—it’s set when you log into a website, and used to store your preferences and other site-specific information.
If an attacker can intercept cookies while you’re logged in, he could effectively convince the website that his browser is your browser, gaining “unfettered access” to your account. Even a change of password wouldn’t keep the attacker out.
“Ever since the session management grew complex,” Narang wrote on his blog, “its correlation with security has gone for a toss.”
This type of attack only works when the target is already logged in because, generally speaking, the cookie is deleted when the user logs out. Narang discovered, however, that LinkedIn is an exception, sometimes retaining a user cookie for three months!
SC reported that they were able to duplicate Narang’s method “and [were] able to access various Twitter accounts by inserting the respective alphanumeric auth_token into locally-stored Twitter cookies using the Cookie Manager browser extension.”
The process of intercepting cookies is not simple, but would hardly be beyond the scope of an experienced hacker’s skills. It can be accomplished with cross-site request forgery.
The end user can do little to protect against a session fixation attack. The session ID a hacker would need to take over an account is usually carried in an HTTP cookie, which provides some security, though Narang considers it “a compensatory control…not a fix for a session management vulnerability.”
That is up to the companies whose products are vulnerable. One security professional suggested the vulnerable properties start requiring two cookies to authenticate a session instead of just one.
H/T SC | Photo by Steven DePolo/Flickr