Broken cookie
It also affects Outlook, Yahoo, and LinkedIn.

A researcher has discovered a flaw in the way cookies—the tiny files websites send to your browser to store information about you—are used by Twitter, LinkedIn, Microsoft Outlook, Microsoft Live and Yahoo. That flaw makes those services vulnerable to hijacking.

Rishi Narang discovered that cookies for those services can be “stolen and reused,” according to Australia’s SC Magazine, in what is called a “session fixation” attack.

A cookie is the code that is used to identify a given user—it’s set when you log into a website, and used to store your preferences and other site-specific information.

If an attacker can intercept cookies while you’re logged in, he could effectively convince the website that his browser is your browser, gaining “unfettered access” to your account. Even a change of password wouldn’t keep the attacker out.

“Ever since the session management grew complex,” Narang wrote on his blog, “its correlation with security has gone for a toss.”

This type of attack only works when the target is already logged in because, generally speaking, the cookie is deleted when the user logs out. Narang discovered, however, that LinkedIn is an exception, sometimes retaining a user cookie for three months!

SC reported that they were able to duplicate Narang’s method “and [were] able to access various Twitter accounts by inserting the respective alphanumeric auth_token into locally-stored Twitter cookies using the Cookie Manager browser extension.”

The process of intercepting cookies is not simple, but would hardly be beyond the scope of an experienced hacker’s skills. It can be accomplished with cross-site request forgery.

The end user can do little to protect against a session fixation attack. The session ID a hacker would need to take over an account is usually carried in an HTTP cookie, which provides some security, though Narang considers it “a compensatory control...not a fix for a session management vulnerability.”

That is up to the companies whose products are vulnerable. One security professional suggested the vulnerable properties start requiring two cookies to authenticate a session instead of just one.

H/T SC  | Photo by Steven DePolo/Flickr

Promoted Stories Powered by Sharethrough
News
Stop what you're doing and disable Java in your browser
Remember when we told you that you should disable Java in your browser? That even the Department of Homeland Security considers the programming language a liability? That black hat hackers are selling “exploits” (vulnerabilities in the program that can be used to hack a system) for $5,000 each?
hacking
Ashley Madison hackers allegedly just released all the stolen user data
A whole lot of people are about to have a very bad night. Nearly 10 gigabytes worth of data stolen from Ashley Madison , the leading online dating site for adulterers, has reportedly been posted on the Dark Net.
Group

Pure, uncut internet. Straight to your inbox.

Thanks for subscribing to our newsletter!