| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jul 2007 00:34:53 +0530 From: Susam Pal <susam@...am.in> To: Neeraj Agarwal <nee.agl@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results An Orkut session cookie once stolen can be used by an attacker to mess with the compromised account as long as the session associated with that cookie remains alive at the server. Unfortunately, in case of Orkut, it remains alive even after the user has logged out. Joseph's experiment proves that it takes a pretty long time for the session to expire. So, the user of a compromised account has to either wait for the session to expire or hope that Google does something to terminate the sessions of the users who have logged out. Regards, Susam Pal http://susam.in/ Neeraj Agarwal wrote, On Tuesday 10 July 2007 02:44 PM: > my firnd got my session cookie a day before yesterdy.. > is there any method i can stop him by using my orkut account? > > On 7/10/07, *Deeþàn Chakravarthÿ* < codeshepherd@...il.com > <mailto:codeshepherd@...il.com>> wrote: > > Joseph Hick wrote: > > If you sign into orkut.com <http://orkut.com> then enter orkut in the > > filter box then you will see some orkut cookies. Look > > for orkut_state in www.orkut.com <http://www.orkut.com> site. > > > > It will work if you are logged in. if you log out > > orkut_state cookie disappears but the session remains > > active in orkut.com <http://orkut.com> server. So a big problem is > > happening in orkut. when attackers stole some cookies > > using XSS attacks earlier they were misusing the > > accounts after owner of account logged out. This > > problem is happening because after owner of account > > logged out the session remained active. > > > > In other sites like yahoo this is not possible because > > the session deactivates in the server after owner of > > account logs out. > > > > > Hi Joseph, > Thanks, I was looking for the cookie after logging off. > Thanks > Deepan > > --- Deeþàn Chakravarthÿ <codeshepherd@...il.com > <mailto:codeshepherd@...il.com>> > > wrote: > > > >> It works great. But I am not able to find a similar > >> cookie for my account. > >> Am I missing something ? > >> > >> Thanks > >> Deepan > >> > >> > >> Joseph Hick wrote: > >> > >>> This is the interim result of a proof of concept > >>> > >> for > >> > >>> Google Authentication issues posted in the > >>> > >> threads... > >> > >>> 1.) > http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html > <http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html> > > > >>> (Orkut Server Side Management Error by Susam Pal & > >>> Vipul Agarwal) > >>> > >>> 2.) > http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html > > > >>> (Google Re-authentication Bypass by Susam Pal) > >>> > >>> A session was created in Orkut at about Sat Jun 30 > >>> 20:30 UTC 2007. Between June 30 and now many have > >>> hijacked this session and logged out many times > >>> > >> but > >> > >>> the session is alive today as verified on Sun Jul > >>> > >> 8 at > >> > >>> 09:43:10 UTC 2007. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists