Cookie of death?
Many popular websites only use encryption while authenticating. After your browser sends the HTTP request containing the username and password, the connection is downgraded from HTTPS (SSL/TLS) to clear-text HTTP. After this, the rest of the traffic is submitted in the clear for overhead reasons, since these sites are accessed by many users simultaneously.
This is a big security problem. The assumption that only the username and password should be encrypted is simply naive. Since most websites use login form authentication, the integrity of the user's session is typically determined by 'Cookie:' headers. Such headers are always sent in the clear after logging into the site.
If someone steals your cookie this is a problem and don't fall into the trap of thinking this is highly unlikely. The fact that many people use Wi-Fi hotspots these days, makes cookie theft trivial by simply listening to the traffic using any standard sniffer such as Wireshark. Other attacks such as XSS can also be used for cookie theft but this is beyond the scope of this post.
Take someone having a coffee at Starbucks who goes online using his/her laptop. Most likely this user will login to his/her webmail service (i.e.: Live Mail) or favorite social networking site (i.e.: Facebook).
After having researched many free webmail and social networking sites I found it concerning that there is no idle session timeout period in place in most of them. This means that unless the user clicks on "Logout", the session ID value(s) within the cookie will always - or at least for a significant amount of time - be accepted by the target site.
Now, here is a scary thought: what if there was a scenario in which stealing a cookie would ALWAYS grant the attacker access to the victim's account? What if changing the password after the account is hijacked wouldn't make a difference in this attack?
Let's describe an example scenario:
1. Victim checks Xmail periodically
2. Eventually someone captures victim's cookie while using a Wi-Fi hotspot
3. Victim closes browser (or clicks on 'Delete All' on Internet Explorer for that matter)
4. Because Xmail doesn't have an Idle Session Timeout Period in place, the stolen cookie WILL BE ACCEPTED BY THE SITE ALWAYS
5. Even if the victim changes his password he will never be able to expire the session that was stolen
Note: Xmail in this case could be any popular webmail service.
Notice that because the user closed the browser, Xmail will ask him to login again next time he visits the site. The same behavior applies to clicking on 'Delete All' on your browser's history.
The point is that when you close your browser (or click on 'Delete All', all current session information is deleted from your browser (NOT the target site's servers!). So next time the user goes back to Xmail he will be asked to login again. This is because the browser is not sending a valid session ID anymore (it was deleted).
Even if the user clicks on "Logout" after logging in, the session flagged as 'terminated' by the server will be DIFFERENT to the one whose cookie was stolen by the attacker.
In summary, without getting technical, all I'm saying is that someone stealing your cookie can sometimes lead to a permanent hijack of your account, even if you ever change your password. The period of the account being hijacked could be several days, or even permanently (in cases in which session IDs are never expired on the server side).
Note: most websites allows multiple sessions by the same user, either from the same IP or different IP. Xmail was simply used as an example in this post. The same applies to most popular websites.
This is a big security problem. The assumption that only the username and password should be encrypted is simply naive. Since most websites use login form authentication, the integrity of the user's session is typically determined by 'Cookie:' headers. Such headers are always sent in the clear after logging into the site.
If someone steals your cookie this is a problem and don't fall into the trap of thinking this is highly unlikely. The fact that many people use Wi-Fi hotspots these days, makes cookie theft trivial by simply listening to the traffic using any standard sniffer such as Wireshark. Other attacks such as XSS can also be used for cookie theft but this is beyond the scope of this post.
Take someone having a coffee at Starbucks who goes online using his/her laptop. Most likely this user will login to his/her webmail service (i.e.: Live Mail) or favorite social networking site (i.e.: Facebook).
After having researched many free webmail and social networking sites I found it concerning that there is no idle session timeout period in place in most of them. This means that unless the user clicks on "Logout", the session ID value(s) within the cookie will always - or at least for a significant amount of time - be accepted by the target site.
Now, here is a scary thought: what if there was a scenario in which stealing a cookie would ALWAYS grant the attacker access to the victim's account? What if changing the password after the account is hijacked wouldn't make a difference in this attack?
Let's describe an example scenario:
1. Victim checks Xmail periodically
2. Eventually someone captures victim's cookie while using a Wi-Fi hotspot
3. Victim closes browser (or clicks on 'Delete All' on Internet Explorer for that matter)
4. Because Xmail doesn't have an Idle Session Timeout Period in place, the stolen cookie WILL BE ACCEPTED BY THE SITE ALWAYS
5. Even if the victim changes his password he will never be able to expire the session that was stolen
Note: Xmail in this case could be any popular webmail service.
Notice that because the user closed the browser, Xmail will ask him to login again next time he visits the site. The same behavior applies to clicking on 'Delete All' on your browser's history.
The point is that when you close your browser (or click on 'Delete All', all current session information is deleted from your browser (NOT the target site's servers!). So next time the user goes back to Xmail he will be asked to login again. This is because the browser is not sending a valid session ID anymore (it was deleted).
Even if the user clicks on "Logout" after logging in, the session flagged as 'terminated' by the server will be DIFFERENT to the one whose cookie was stolen by the attacker.
In summary, without getting technical, all I'm saying is that someone stealing your cookie can sometimes lead to a permanent hijack of your account, even if you ever change your password. The period of the account being hijacked could be several days, or even permanently (in cases in which session IDs are never expired on the server side).
Note: most websites allows multiple sessions by the same user, either from the same IP or different IP. Xmail was simply used as an example in this post. The same applies to most popular websites.
0 Comments:
Post a Comment
<< Home