lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 10 Jul 2007 01:46:12 -0700 (PDT)
From: Joseph Hick <leet16y@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Google/Orkut Authentication/Session
	Management Issue PoC - Interim Results

If you sign into orkut.com then enter orkut in the
filter box then you will see some orkut cookies. Look
for orkut_state in www.orkut.com site.

It will work if you are logged in. if you log out
orkut_state cookie disappears but the session remains
active in orkut.com server. So a big problem is
happening in orkut. when attackers stole some cookies
using XSS attacks earlier they were misusing the
accounts after owner of account logged out. This
problem is happening because after owner of account
logged out the session remained active.

In other sites like yahoo this is not possible because
the session deactivates in the server after owner of
account logs out.

Thanks
Joseph

--- Deeþàn Chakravarthÿ <codeshepherd@...il.com>
wrote:
> It works great. But I am not able to find a similar
> cookie for my account.
> Am I missing something ?
> 
> Thanks
> Deepan
> 


> Joseph Hick wrote:
> > This is the interim result of a proof of concept
> for
> > Google Authentication issues posted in the
> threads...
> >
> > 1.)
> >
>
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html
> > (Orkut Server Side Management Error by Susam Pal &
> > Vipul Agarwal)
> >
> > 2.)
> >
>
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html
> > (Google Re-authentication Bypass by Susam Pal)
> >
> > A session was created in Orkut at about Sat Jun 30
> > 20:30 UTC 2007. Between June 30 and now many have
> > hijacked this session and logged out many times
> but
> > the session is alive today as verified on Sun Jul
> 8 at
> > 09:43:10 UTC 2007. The cookie for this PoC session
> is
> > ...
> >
> > Name: orkut_state
> > Cookie:
> >
>
ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=0:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1183210062:LCL=en-US:NET=1:TOS=1:GC=DQAAAIMAAAArC-mJYqsrCOnv8uVQHdFUccRFQX8-ibRerEzrie5sOWNc06zs4z4fMNpovLUyRcNXHwxk8WzY6Z6SmvxcSmL1hAW4Mrdvazzkssq5VjSO70oE1HSFR4KOkSb3ZLg-U7k0x8c7ZuLHwu_qY2Umy8oobckg9UctWXYd1qoerXUTzsFSuLNXHdiAEVCSw7fUO00:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:VER=2:S=1Ah7VcA0JetHQ0Mgyfp4Jb6meXw=:
> > Domain: .www.orkut.com
> > Path: /
> > Send for: Any type of session
> > Expires: Expire at end of session
> >
> > This proves that the session remains alive for at
> > least 7 days after logging out. Steps to verify
> > this...
> >
> > 1.) Open Firefox, etc. which allows cookie
> editing.
> > This extension is required...
> > https://addons.mozilla.org/en-US/firefox/addon/573
> >
> > 2.) Set the given cookie.
> >
> > 3.) Try to visit http://www.orkut.com/Home.aspx
> >
> > 4.) You will be automatically logged in with my
> > account. It will not ask for any user-name or
> > password.
> >
> > 5.) Logout
> >
> > 6.) Repeat steps 1. to 4. You can log in again.
> >
> > I want to see how long this session remains alive
> > after multiple logout. If you try this POC leave a
> > message in the scrapbook of the account here ...
> > http://www.orkut.com/Scrapbook.aspx
> >
> > Thanks
> > Joseph
> >
> >   
> 

> 



       
____________________________________________________________________________________
Get the free Yahoo! toolbar and rest assured with the added security of spyware protection.
http://new.toolbar.yahoo.com/toolbar/features/norton/index.php

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ