lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 11 Jun 2011 21:47:57 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: adam <adam@...sy.net>, Madhur Ahuja <ahuja.madhur@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Session Sidejacking in facebook

LMFAO

From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of adam
Sent: Saturday, June 11, 2011 1:57 PM
To: Madhur Ahuja
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Session Sidejacking in facebook

I was actually just kidding about releasing it to the list, but given the nature of the vulnerability - the disclosure could have been a lot worse.

"Is this how it works in all social sites ?"

I've personally witnessed countless sites that authenticate a user based on userID/token combination (and nothing else). Depending on the actual token length, bruteforcing it is sometimes even possible.

"If the answer is yes, I will be highly doubtful of using internet at
any public place where sniffing or MITM attack is relatively simple to
make."

As you should be, but don't just apply it to social networking sites.

"Are there any measures to prevent it ?"

Servers/applications could do a little more to protect against it (e.g. X token is only valid for Y IP, or by using flash cookies as part of the authentication process, etc etc). The difference is, in your example, the IP check wouldn't make a difference. Flash cookies aren't necessarily the best route either, for compatibility and other reasons.

On the client side, I'd recommend using a secure VPN connection any time you're accessing the internet from a public place/network. You could do that, tunnel over SSH, whatever. The point being: don't send unencrypted data across public networks, unless privacy isn't important (e.g. browsing Wikipedia).

On Sat, Jun 11, 2011 at 3:43 PM, Madhur Ahuja <ahuja.madhur@...il.com<mailto:ahuja.madhur@...il.com>> wrote:
Recently, there was a vulnerability discovered in LinkedIn, which is
described here http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability/

Basically, this allows someone in network to sniff a cookie value and
apply it in his browses session to hijack the target's user session.

This simple concept even works even in Facebook. I was able to hijack
n number of user's session sitting in my university room in few
minutes.

For every POST request in facebook, similar cookie string is transmitted:

Cookie: datr=09bXXXQ2oOgQuUK0yAzK_JU9; lu=wgj9pmpkAsdXXXTp5vthfh2w;
locale=en_US; L=2; act=13078123502562F3; c_user=xxxxxx;
sct=1123416461; xs=603Afe43db8a71239bd8d7b2a831xxx6241f;
presence=EM307818375L26REp_5f123422481F22X3078XXX1367K1H0V0Z21G307818375PEuoFD769839560FDexpF1307818409174EflF_5b_5dEolF-1CCCC;
e=n

I was able to hijack the remote user's session by just placing the
value of 2 cookies: c_user (which is obviously user id) and xs (seems
like auth token) in my browser session.

Step by step POC:
http://madhur.github.com/blog/2011/06/12/facebooksessionhijacking.html

Cookie: datr=09bXXXQ2oOgQuUK0yAzK_JU9; lu=wgj9pmpkAsdXXXTp5vthfh2w;
locale=en_US; L=2; act=13078123502562F3; c_user=xxxxxx;
sct=1123416461; xs=603Afe43db8a71239bd8d7b2a831xxx6241f;
presence=EM307818375L26REp_5f123422481F22X3078XXX1367K1H0V0Z21G307818375PEuoFD769839560FDexpF1307818409174EflF_5b_5dEolF-1CCCC;
e=n

Is this how it works in all social sites ?

If the answer is yes, I will be highly doubtful of using internet at
any public place where sniffing or MITM attack is relatively simple to
make.

Are there any measures to prevent it ?

Madhur
http://madhur.github.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ