lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 17 Aug 2004 14:04:05 +0530
From: "Rohit Dube" <rohit@...tikalsolutions.com>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>
Subject: Third party cookie handling in Opera can lead to potential compromises in Servers relying on redirection

Hi,
 Opera's policy with respect to third party cookie makes it vulnerable to
session replay attacks. This was discovered 2 weeks back. Opera's response
to the same is attached. The issue and the workaround are listed below.

Opera claims to be the fastest browser on earth and has the third largest
user base.

Issue:
In case Opera privacy policy is set to refuse all third party cookies, some
servers (one is mail.yahoo.com) become susceptible to session replay
attacks. Reproduction steps, for mail.yahoo.com are:
1. set third party cookie handling to refuse all third party cookies.
2. login to your yahoo mail account.
3. sign out. 
4. Check the cookies using opera cookie manager. The cookies 'T' and 'Y' are
set to expire in 1970. 
5. Change the same to sometime in the future. 
6. In the address bar, type mail.yahoo.com, you will be in the last account
without needing username or password.

Yahoo is not maintaining a session at its end and is relying entirely on
cookies for session information. This leads to a session replay attack for
Opera users at public computers, cyber cafes etc. IE/firefox/mozilla work
fine. This can be reproduced for any network community which is relying on
cookies alone for session management across a host of its services [mail,
chat etc]

Cause:
This is so because for the domain (mail.yahoo.com) the above said two
cookies are not deleted/overwritten at logout if third party cookie handling
is set to refuse all third party cookies. According to Opera, This is so
because
"
cookies for the URL because it is considered a thirdparty
server (f533.mail.yahoo.com != yahoo.com). This is based on
the RFC 2109 (sec. 4.3.5) and RFC 2965 (sec. 3.3.6) definition
of "unverifiable transactions", which includes redirection.

RFC 2965:

  An unverifiable transaction is to a third-party host if its request-
  host U does not domain-match the reach R of the request-host O in the
  origin transaction.

  When it makes an unverifiable transaction, a user agent MUST disable
  all cookie processing (i.e., MUST NOT send cookies, and MUST NOT
  accept any received cookies) if the transaction is to a third-party
  host.
"

So, according to Opera, it's a case of correct implementation of RFC causing
a compromise for the users. It all depends on what can be classified as
unverifiable transaction.
 	Shouldn't this still be fixed either by Yahoo or by Opera for better
security of customers?

Work arounds are several:
1. Allow third party cookies.
2. Set Opera to delete all private data at the time of closure.

Credits:
Rohit Dube.

Thanx
Rohit Dube
KritiKal Solutions Private Limited
TB1,TBIU,
Block One Extension, 
IIT Delhi,
New Delhi - 110017
India.

----The reader this message encounters not failing to understand is
cursed.----

Content of type "message/rfc822" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ