[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001901c48434$f9993630$1432140a@mylaptop>
From: rohit at kritikalsolutions.com (Rohit Dube)
Subject: Third party cookie handling in Opera can lead to potential compromises in Servers relying on redirection
Hi,
Opera's policy with respect to third party cookie makes it vulnerable to
session replay attacks. This was discovered 2 weeks back. Opera's response
to the same is attached. The issue and the workaround are listed below.
Opera claims to be the fastest browser on earth and has the third largest
user base.
Issue:
In case Opera privacy policy is set to refuse all third party cookies, some
servers (one is mail.yahoo.com) become susceptible to session replay
attacks. Reproduction steps, for mail.yahoo.com are:
1. set third party cookie handling to refuse all third party cookies.
2. login to your yahoo mail account.
3. sign out.
4. Check the cookies using opera cookie manager. The cookies 'T' and 'Y' are
set to expire in 1970.
5. Change the same to sometime in the future.
6. In the address bar, type mail.yahoo.com, you will be in the last account
without needing username or password.
Yahoo is not maintaining a session at its end and is relying entirely on
cookies for session information. This leads to a session replay attack for
Opera users at public computers, cyber cafes etc. IE/firefox/mozilla work
fine. This can be reproduced for any network community which is relying on
cookies alone for session management across a host of its services [mail,
chat etc]
Cause:
This is so because for the domain (mail.yahoo.com) the above said two
cookies are not deleted/overwritten at logout if third party cookie handling
is set to refuse all third party cookies. According to Opera, This is so
because
"
cookies for the URL because it is considered a thirdparty
server (f533.mail.yahoo.com != yahoo.com). This is based on
the RFC 2109 (sec. 4.3.5) and RFC 2965 (sec. 3.3.6) definition
of "unverifiable transactions", which includes redirection.
RFC 2965:
An unverifiable transaction is to a third-party host if its request-
host U does not domain-match the reach R of the request-host O in the
origin transaction.
When it makes an unverifiable transaction, a user agent MUST disable
all cookie processing (i.e., MUST NOT send cookies, and MUST NOT
accept any received cookies) if the transaction is to a third-party
host.
"
So, according to Opera, it's a case of correct implementation of RFC causing
a compromise for the users. It all depends on what can be classified as
unverifiable transaction.
Shouldn't this still be fixed either by Yahoo or by Opera for better
security of customers?
Work arounds are several:
1. Allow third party cookies.
2. Set Opera to delete all private data at the time of closure.
Credits:
Rohit Dube.
Thanx
Rohit Dube
KritiKal Solutions Private Limited
TB1,TBIU,
Block One Extension,
IIT Delhi,
New Delhi - 110017
India.
----The reader this message encounters not failing to understand is
cursed.----
-------------- next part --------------
An embedded message was scrubbed...
From: "Rohit Dube" <rddube@...il.com>
Subject: Fwd: Cookie handling in opera, third party cookies.
Date: Tue, 17 Aug 2004 11:19:31 +0530
Size: 8356
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040817/697962c5/attachment.mht
Powered by blists - more mailing lists