lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jun 2014 11:19:10 +0200
From: "Christian K." <waffenklang@...glemail.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Session Hijack Vulnerabilty on ebays german want ad?

Hi rob,

I tried what you said and it does not affect the other session.

The open session stays open and is not invalidated.

@all others: Thanks for all the helpful explanations; For me this is clear
now and I reported this issue.

Regards,

Christian


2014-06-24 22:03 GMT+02:00 R D <rd.seclists@...il.com>:

> Hi all,
> Yes Christian, this might be a security vulnerability, but it's an edge
> case.
>
> To me, the problem here is the difference between the user expectation and
> what really happens.
> A clear case of a similar vuln is when you log out of a website and what
> the website actually does is just deleting the cookies on your browser, but
> not invalidating the session Id server-side (so the session is still valid
> for any attacker holding onto the cookie).
> In your case, you click the "forgot password" button. One might say you
> have no expectation of this killing any other session you might have on the
> application. But in reality, the password reset function might be used in
> the case of a (suspected) account compromise; either you cannot login
> because an attacker has changed your password, or you can't be bothered to
> log in to change your password but you suspect someone might have gained
> access to your account. In both cases this is clearly not the intended
> behaviour as the attacker remains in control of your account.
>
> You might want to try changing your password while logged in and see if
> when the password is changed this way, the other sessions are invalidated.
>
> Regards,
> --rob'
>
> On Mon, Jun 23, 2014 at 9:39 PM, uname -a <sec.list@....net> wrote:
>
> > Yes it is a vector.
> > Imagin the following:
> > you go to a "friend". there you log in to your site.
> > before you leave, you forgotten to logout.
> > at home you change your password.
> > but your friend can still use your account.
> >
> > greetings
> >
> > Am 23.06.2014 20:21, schrieb Christian K.:
> > > Hi,
> > >
> > > i have a question if this is an attack vector (website is german want
> ad
> > > branch from ebay kleinanzeigen.ebay.de prob. english site affected
> too):
> > >
> > > On Computer A the browser (FF) has an open tab with the site where,
> when
> > > visited, user A is always signed on (because the specific site is the
> > user
> > > panel).
> > >
> > > On Computer B user A wants to log into his account, but forgot his
> > > password. He successfully changed his password using the "forgot
> > password"
> > > button and was able to log in.
> > >
> > > Then user A moves from Computer B to Computer A (which was off at the
> > time
> > > user A was at Computer B) and starts its browser where he realizes that
> > he
> > > is still logged into his account on the site without any password
> > > confirmation.
> > >
> > > As this happend to me, the question is: is this an attack vector (I
> > assume
> > > it is) and how can I as a user protect myself? Am not really into
> > security
> > > engineering (just non-sec-related software engineering...), so forgive
> my
> > > dumbness!
> > >
> > > Thanks.
> > >
> > >
> > > C.
> > >
> > > _______________________________________________
> > > Sent through the Full Disclosure mailing list
> > > http://nmap.org/mailman/listinfo/fulldisclosure
> > > Web Archives & RSS: http://seclists.org/fulldisclosure/
> > >
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > http://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/
> >
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists