lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Jul 2007 02:41:01 -0700 (PDT) From: Joseph Hick <leet16y@...oo.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Google/Orkut Authentication Issue PoC It has been more than 36 hours and we have logged out of the account at least 10 times. The POC still works and my account can still be hijacked. This proves the Net-Square report - "Google has fixed this problem on their side. session cookies are now set to expire within 24 hours from the server side, as opposed to two weeks." - to be wrong. Moreover expiry within 24 hours is not a fix. expiry of session in 24 hours + expiry of session on logout + disabling the session on lockout is a fix. --- Joseph Hick <leet16y@...oo.com> wrote: > This is a proof of concept for Google Authentication > issues posted in the threads... > > 1.) > http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html > (Orkut Server Side Management Error by Susam Pal & > Vipul Agarwal) > > 2.) > http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html > (Google Re-authentication Bypass by Susam Pal) > > I found that after logging out Google session > doesn't > expire in 24 hours. It is longer. I am doing this > experiment to see how long the session remains alive > after logging out. > > I am posting a session cookie for my account. > > Name: orkut_state > Cookie: > ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=0:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1183210062:LCL=en-US:NET=1:TOS=1:GC=DQAAAIMAAAArC-mJYqsrCOnv8uVQHdFUccRFQX8-ibRerEzrie5sOWNc06zs4z4fMNpovLUyRcNXHwxk8WzY6Z6SmvxcSmL1hAW4Mrdvazzkssq5VjSO70oE1HSFR4KOkSb3ZLg-U7k0x8c7ZuLHwu_qY2Umy8oobckg9UctWXYd1qoerXUTzsFSuLNXHdiAEVCSw7fUO00:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:VER=2:S=1Ah7VcA0JetHQ0Mgyfp4Jb6meXw=: > Domain: .www.orkut.com > Path: / > Send for: Any type of session > Expires: Expire at end of session > > I have logged out but you can use this cookie in > this > way... (anyone can try this. You don't need Orkut > account to try this) > > 1.) Open Firefox, etc. which allows cookie editing. > This extension is required... > https://addons.mozilla.org/en-US/firefox/addon/573 > > 2.) Set the given cookie. > > 3.) Try to visit http://www.orkut.com/Home.aspx > > 4.) You will be automatically logged in with my > account. It will not ask for any user-name or > password. > > 5.) Logout > > 6.) Repeat steps 1. to 4. You can log in again. > > I want to see how long this session remains alive > after multiple logout. If you try this POC leave a > message in the scrapbook of the account here ... > http://www.orkut.com/Scrapbook.aspx > > Thanks > Joseph > ____________________________________________________________________________________ Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists