A researcher has discovered a flaw in the way cookies—the tiny files websites send to your browser to store information about you—are used by Twitter, LinkedIn, Microsoft Outlook, Microsoft Live and Yahoo. That flaw makes those services vulnerable to hijacking.
A cookie is the code that is used to identify a given user—it’s set when you log into a website, and used to store your preferences and other site-specific information.
If an attacker can intercept cookies while you’re logged in, he could effectively convince the website that his browser is your browser, gaining “unfettered access” to your account. Even a change of password wouldn’t keep the attacker out.
“Ever since the session management grew complex,” Narang wrote on his blog, “its correlation with security has gone for a toss.”
This type of attack only works when the target is already logged in because, generally speaking, the cookie is deleted when the user logs out. Narang discovered, however, that LinkedIn is an exception, sometimes retaining a user cookie for three months!
SC reported that they were able to duplicate Narang’s method “and [were] able to access various Twitter accounts by inserting the respective alphanumeric auth_token into locally-stored Twitter cookies using the Cookie Manager browser extension.”
The process of intercepting cookies is not simple, but would hardly be beyond the scope of an experienced hacker’s skills. It can be accomplished with cross-site request forgery.
The end user can do little to protect against a session fixation attack. The session ID a hacker would need to take over an account is usually carried in an HTTP cookie, which provides some security, though Narang considers it “a compensatory control...not a fix for a session management vulnerability.”
That is up to the companies whose products are vulnerable. One security professional suggested the vulnerable properties start requiring two cookies to authenticate a session instead of just one.
Judge brings burglary suspect to tears after revealing a surprise about his past
This will give you the feels.4.6k
xPeke plans to retire after Worlds
One of the most iconic names in esports plans to hang up his mouse and keyboard in just a couple of months.3.7k
Why the first U.S. measles death in 12 years is such a big deal
It’s not just because it’s the first one in 12 years.3.6k
Is Reddit's relocation policy to blame for dismissals?
Reddit's expanding alumni page may not be the only sea change in store.
The 3 biggest questions heading into the ESL ESEA final
The first edition of the ESL ESEA Pro League is coming to a head this weekend with $250,000 on the line.29