lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <562020.96926.qm@web38014.mail.mud.yahoo.com>
Date: Mon, 2 Jul 2007 02:41:01 -0700 (PDT)
From: Joseph Hick <leet16y@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Google/Orkut Authentication Issue PoC

It has been more than 36 hours and we have logged out
of the account at least 10 times. The POC still works
and my account can still be hijacked.

This proves the Net-Square report - "Google has fixed
this problem on their side. session cookies are now
set to expire within 24 hours from the server side, as
opposed to two weeks." - to be wrong.

Moreover expiry within 24 hours is not a fix. expiry
of session in 24 hours + expiry of session on logout +
disabling the session on lockout is a fix.

--- Joseph Hick <leet16y@...oo.com> wrote:

> This is a proof of concept for Google Authentication
> issues posted in the threads...
> 
> 1.)
>
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html
> (Orkut Server Side Management Error by Susam Pal &
> Vipul Agarwal)
> 
> 2.)
>
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html
> (Google Re-authentication Bypass by Susam Pal)
> 
> I found that after logging out Google session
> doesn't
> expire in 24 hours. It is longer. I am doing this
> experiment to see how long the session remains alive
> after logging out.
>     
> I am posting a session cookie for my account.
> 
> Name: orkut_state
> Cookie:
>
ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=0:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1183210062:LCL=en-US:NET=1:TOS=1:GC=DQAAAIMAAAArC-mJYqsrCOnv8uVQHdFUccRFQX8-ibRerEzrie5sOWNc06zs4z4fMNpovLUyRcNXHwxk8WzY6Z6SmvxcSmL1hAW4Mrdvazzkssq5VjSO70oE1HSFR4KOkSb3ZLg-U7k0x8c7ZuLHwu_qY2Umy8oobckg9UctWXYd1qoerXUTzsFSuLNXHdiAEVCSw7fUO00:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:VER=2:S=1Ah7VcA0JetHQ0Mgyfp4Jb6meXw=:
> Domain: .www.orkut.com
> Path: /
> Send for: Any type of session
> Expires: Expire at end of session
> 
> I have logged out but you can use this cookie in
> this
> way... (anyone can try this. You don't need Orkut
> account to try this)
> 
> 1.) Open Firefox, etc. which allows cookie editing.
> This extension is required...
> https://addons.mozilla.org/en-US/firefox/addon/573
> 
> 2.) Set the given cookie.
> 
> 3.) Try to visit http://www.orkut.com/Home.aspx
> 
> 4.) You will be automatically logged in with my
> account. It will not ask for any user-name or
> password.
> 
> 5.) Logout
> 
> 6.) Repeat steps 1. to 4. You can log in again.
> 
> I want to see how long this session remains alive
> after multiple logout. If you try this POC leave a
> message in the scrapbook of the account here ...
> http://www.orkut.com/Scrapbook.aspx
> 
> Thanks
> Joseph
> 



       
____________________________________________________________________________________
Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
http://smallbusiness.yahoo.com/webhosting 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ