https://samsclass.info/123/proj10/cookie-reuse.htm
Cookie Re-Use in Office 365 and Other Web Services
Topics
- American Express and Chase
- Background
- List of Vulnerable Sites
- ASP.NET and Cookie-Re-Use
- Instructions for Testing Sites
- Media Coverage
- Changelog
Hacking into my American Express Account Without a Password
Note: I just tested it with a time delay, and the stolen cookie stops working after ten minutes of inactivity, so that lowers the risk to some extent. -- Added 11:19 am 7-23-13
Hacking into my Chase Account Without a Password
Note: I just tested it with a time delay, and the stolen cookie stops working after ten minutes of inactivity, so that lowers the risk to some extent. -- Added 2:07 pm 7-23-13
Background
In 2012, The Hacker News posted this article showing that stolen cookies can be re-used in Hotmail and outlook.com. I wondered if it was still true, and I easily reproduced it using Chrome and the Edit This Cookie Extension.Why this is Important
There are many ways of stealing cookies; XSS, malware, or just stealing your phone. And the person with the cookie can still use your account after you log off. Office365 even lets attackers continue to use old cookies after you change your password, and after copying the cookies to a different machine.So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking attackers.
Why doesn't logging off cancel the cookie? That is obviously the intent of the user who clicks it. This seems like a bug to me. However, Microsoft was notified last year and decided they like it this way, as detailed in the Hacker News article.
Please Help
Please test more services and tweet results to me @sambowneClick here for step-by-step instructions.
Here is the list of sites I and others have tested so far.
BAD | GOOD |
Financial | |
| American Express (E) Chase (E) | Discover Card (J) @askRegions Bank (I) TDbank (G) Bank of America (L) Arizona Federal Credit Union (L) @BECU (O) |
Shopping | |
| Amazon (A C) IBM (including Many Eyes) NetFlix (F) TigerDirect (A C) Woot (M) | Adobe Craigslist Travelocity Newegg (N) |
Email & Social | |
| Chrome App Store (A C G H) Flickr iCloud (C K) Live.com Office 365 (A B) Soundcloud (G) Stumbleupon Twitter (C K) Wordpress Yahoo mail YouTube (D G H) | Facebook Gmail Tweetdeck |
News | |
| Forbes The Guardian Huffington Post The New York Times The Register | Ars Technica Slashdot |
Security | |
| Packet Storm (G) | Cloudflare (Fixed on 7-25-13) (ISC)^2 LastPass Mitto My1Login Need My Password Passpack |
Others | |
| CourseSmart Github NameCheap (I) Vimeo Waze WHMCS (G) | alpha.app.net (tested by @nicoduck) Dropbox Godaddy Insight (CCSF's Online Course System) |
NotesA Cookie still works after password reset! (ty @dakami for asking this question)B Cookie still works when copied to another machine (ty @0x90NOP and @winremes for asking this question) C Cookie still worked after 12 hours logged out D Cookie no longer worked after 12 hours logged out E Cookie expires after 10 minutes F Tested by @privacyfanatic G Tested by @_KrypTiK H Verified by @sambowne I Tested by @jTizYl J Tested by Julie Hietschold K Password reset invalidates old cookie L Tested by Hector Acencio M Tested by @NDRoughneck N Tested by @splint3rz O Tested by @vaha | |
ASP.NET and Cookie Re-Use
I got this message from Richard Turnbull after my Defcon 21 talk with Matthew Prince:"Re: the ineffective logout mechanisms you were talking about...ASP.NET's forms authentication function exhibits the behaviour you were describing (i.e. only invalidating the cookie on the client side at logout). This is definitely a bad idea (which is of course the point you were making) but I guess it is part of the reason why so many sites have this issue (in particular I remember seeing Office365 and another Microsoft site on your list - they may well be using ASP.NET).We often report this issue when doing web application assessments for our clients, but without any real expectation that they'll do anything about it (because they'd either have to stop using ASP.NET forms auth or somehow persuade Microsoft to fix it!)"
From: Richard Turnbull, Principal Security Consultant, NCC Group
Step-by-Step instructions
1. Log in to Office 365 (or the other site you are testing)
Your name appears in the upper right corner, as shown below, and your emails are visible.
2. Save the URL
The URL of this page is different from the URL of the login page.Add this page to your Favorites, or make some other record of its URL.
3. Export Cookies
Click the cookie icon, and click "Export cookies". A message pops up saying "Cookies copied to clipboard" as shown below:
4. Log Out
You now see the login screen, and your emails are no longer visible.
5. Return to the URL
Click the Favorite you made in step 2. As expected, that page does not show your emails anymore--it just redirects back to the login page.6. Import Cookies
Click the cookie icon, and click "Import cookies".A box appears saying "Paste here the cookies to import". Paste the cookies there, as shown below (I redacted the image, since anyone with this data can apparently get into my Office 365 account.)
Then click the "Submit cookie changes" button.
7. Return to the URL Again
Click the Favorite you made. If the site is vulnerable, you'll see your personalized page, as shown below.If the site is not vulnerable, you will see a logon page.
Media Coverage
This issue has been published by @privacyfanatic in Network World!
Changelog
Posted 12:23 pm 7-15-13 by Sam BowneYahoo and Gmail test added 1:36 PM
More services added 6:24 pm 7-15-13
Reformatted 6:35 pm
More sites added 9:50 pm
iCloud and NetFlix added 11:26 am 7-16-13
Live.com, Dropbox, Box, GitHub, and Cloudflare 2:33 pm 7-16-13
Edit 3:05 PM
Password reset for Office 365 tested 3:28 pm 7-16-13
Copying to another machine tested 3:41 pm 7-16-13
Added Insight, Waze 4:04 pm 7-16-13
Format changed 6:13 pm 7-16-13
Passsword managers added 10:40 am 7-17-13
app.net added 11:10 am 7-17-13
Added many news sites 8:18 am 7-19-13
Discover added 4 pm 7-21-13
IBM, Reddit, Adobe, and Flickr added 1:50 pm 7-22-13
Reformatted 6:05 pm 7-22-13
Videos added with Chase and AmEx vulnerabilities 0:00 am 7-23-13
AmEx's ten-minute logout added 11:57 am 7-23-13
Chase's ten-minute logout added 2:06 pm 7-23-13
NameCheap and @askRegions Bank added 2:35 pm 7-23-13
Adobe moved from Bad to Good 11:36 am 7-24-13
Soundcloud added 12:14 pm 7-25-13
YouTube, Chrome, and TDbank added 12:47 pm 7-25-13
WHMCS added 2:09 pm 7-25-13
Packet Storm added 6:30 pm 7-25-13
Cloudflare moved to GOOD 7:23 pm 7-25-13
Duplicate of Vimeo removed 8:02 PM 7-25-13
Reformatted, 12 hr. test notes added 8:40 am 7-26-13
Note from Richard Turnbull added; "Topics" section added 11:36 am 8-3-13
Updated 1:12 pm 8-7-13 with L and M info
Updated 1:33 pm 8-8-13 with N info
Updated 11:42 am 8-13-13 with O info
