lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4693D855.9060806@susam.in>
Date: Wed, 11 Jul 2007 00:34:53 +0530
From: Susam Pal <susam@...am.in>
To: Neeraj Agarwal <nee.agl@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google/Orkut Authentication/Session
 Management Issue PoC - Interim Results

An Orkut session cookie once stolen can be used by an attacker to mess
with the compromised account as long as the session associated with that
cookie remains alive at the server. Unfortunately, in case of Orkut, it
remains alive even after the user has logged out.

Joseph's experiment proves that it takes a pretty long time for the
session to expire. So, the user of a compromised account has to either
wait for the session to expire or hope that Google does something to
terminate the sessions of the users who have logged out.

Regards,
Susam Pal
http://susam.in/

Neeraj Agarwal wrote, On Tuesday 10 July 2007 02:44 PM:
> my firnd got my session cookie a day before yesterdy..
> is there any method i can stop him by using my orkut account?
> 
> On 7/10/07, *Deeþàn Chakravarthÿ* < codeshepherd@...il.com 
> <mailto:codeshepherd@...il.com>> wrote:
> 
>     Joseph Hick wrote:
>      > If you sign into orkut.com <http://orkut.com> then enter orkut in the
>      > filter box then you will see some orkut cookies. Look
>      > for orkut_state in www.orkut.com <http://www.orkut.com> site.
>      >
>      > It will work if you are logged in. if you log out
>      > orkut_state cookie disappears but the session remains
>      > active in orkut.com <http://orkut.com> server. So a big problem is
>      > happening in orkut. when attackers stole some cookies
>      > using XSS attacks earlier they were misusing the
>      > accounts after owner of account logged out. This
>      > problem is happening because after owner of account
>      > logged out the session remained active.
>      >
>      > In other sites like yahoo this is not possible because
>      > the session deactivates in the server after owner of
>      > account logs out.
>      >
>      >
>     Hi Joseph,
>       Thanks, I was looking for the cookie after logging off.
>     Thanks
>     Deepan
>      > --- Deeþàn Chakravarthÿ <codeshepherd@...il.com
>     <mailto:codeshepherd@...il.com>>
>      > wrote:
>      >
>      >> It works great. But I am not able to find a similar
>      >> cookie for my account.
>      >> Am I missing something ?
>      >>
>      >> Thanks
>      >> Deepan
>      >>
>      >>
>      >> Joseph Hick wrote:
>      >>
>      >>> This is the interim result of a proof of concept
>      >>>
>      >> for
>      >>
>      >>> Google Authentication issues posted in the
>      >>>
>      >> threads...
>      >>
>      >>> 1.)
>     http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html
>     <http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html>
>      >
>      >>> (Orkut Server Side Management Error by Susam Pal &
>      >>> Vipul Agarwal)
>      >>>
>      >>> 2.)
>     http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html
>      >
>      >>> (Google Re-authentication Bypass by Susam Pal)
>      >>>
>      >>> A session was created in Orkut at about Sat Jun 30
>      >>> 20:30 UTC 2007. Between June 30 and now many have
>      >>> hijacked this session and logged out many times
>      >>>
>      >> but
>      >>
>      >>> the session is alive today as verified on Sun Jul
>      >>>
>      >> 8 at
>      >>
>      >>> 09:43:10 UTC 2007. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ