Full Disclosure mailing list archives
Google/Orkut Session Expiry PoC - Results
From: Joseph Hick <leet16y () yahoo com>
Date: Sun, 15 Jul 2007 02:41:50 -0700 (PDT)
Orkut session remains alive for 14 days after logout. This is the result of an experiment for Google Authentication issues posted in the threads... 1.) http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html (Orkut Server Side Management Error by Susam Pal & Vipul Agarwal) 2.) http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html (Google Re-authentication Bypass by Susam Pal) A session was created in Orkut at about Sat Jun 30 20:30 UTC 2007. Between June 30 and yesterday many have hijacked this session and logged out many times but it was last known to be alive at Sat Jul 14 13:09:48 UTC 2007. The cookie for this PoC session has expired today Sun Jul 15. The session cookie for this PoC was... Name: orkut_state Cookie: ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=0:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1183210062:LCL=en-US:NET=1:TOS=1:GC=DQAAAIMAAAArC-mJYqsrCOnv8uVQHdFUccRFQX8-ibRerEzrie5sOWNc06zs4z4fMNpovLUyRcNXHwxk8WzY6Z6SmvxcSmL1hAW4Mrdvazzkssq5VjSO70oE1HSFR4KOkSb3ZLg-U7k0x8c7ZuLHwu_qY2Umy8oobckg9UctWXYd1qoerXUTzsFSuLNXHdiAEVCSw7fUO00:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:VER=2:S=1Ah7VcA0JetHQ0Mgyfp4Jb6meXw=: Domain: .www.orkut.com Path: / Send for: Any type of session Expires: Expire at end of session The issue still exists. A new session cookie to prove this.... Cookie: ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=74:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1184466361:LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAIMAAAAKQX59h2RRxR_Yw61n4e8uiJdJJYiMIyZPvgemHnkXJElDem_sI-5AgNzq5ajnMKejwbVnKY9AxWMmrZ67XXuMNcxA3AkJVg39a-tqX5hmgnn6Pnr4lm7ieZzpwLhV-kSrcR8znzq2Wo30jKt22-3Y2ITRt93H7G8gEYMiZ2PWzOWVBlw6z5FwJs8SQaN6noQ:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=:VER=2:S=Z/6WJuS/q/cRlYLO8DgaEla9PqM=: Other details as old cookie. Conclusion: Hijacked session can be used for 14 days by the hijacker because logging out does not kill the session. ____________________________________________________________________________________ The fish are biting. Get more visitors on your site using Yahoo! Search Marketing. http://searchmarketing.yahoo.com/arp/sponsoredsearch_v2.php _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google/Orkut Session Expiry PoC - Results Joseph Hick (Jul 15)