Full Disclosure mailing list archives
Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results
From: "Neeraj Agarwal" <nee.agl () gmail com>
Date: Tue, 10 Jul 2007 14:44:44 +0530
my firnd got my session cookie a day before yesterdy.. is there any method i can stop him by using my orkut account? On 7/10/07, Deeþàn Chakravarthÿ <codeshepherd () gmail com> wrote:
Joseph Hick wrote: > If you sign into orkut.com then enter orkut in the > filter box then you will see some orkut cookies. Look > for orkut_state in www.orkut.com site. > > It will work if you are logged in. if you log out > orkut_state cookie disappears but the session remains > active in orkut.com server. So a big problem is > happening in orkut. when attackers stole some cookies > using XSS attacks earlier they were misusing the > accounts after owner of account logged out. This > problem is happening because after owner of account > logged out the session remained active. > > In other sites like yahoo this is not possible because > the session deactivates in the server after owner of > account logs out. > > Hi Joseph, Thanks, I was looking for the cookie after logging off. Thanks Deepan > --- Deeþàn Chakravarthÿ <codeshepherd () gmail com> > wrote: > >> It works great. But I am not able to find a similar >> cookie for my account. >> Am I missing something ? >> >> Thanks >> Deepan >> >> > > > >> Joseph Hick wrote: >> >>> This is the interim result of a proof of concept >>> >> for >> >>> Google Authentication issues posted in the >>> >> threads... >> >>> 1.) >>> >>> > http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html > >>> (Orkut Server Side Management Error by Susam Pal & >>> Vipul Agarwal) >>> >>> 2.) >>> >>> > http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html > >>> (Google Re-authentication Bypass by Susam Pal) >>> >>> A session was created in Orkut at about Sat Jun 30 >>> 20:30 UTC 2007. Between June 30 and now many have >>> hijacked this session and logged out many times >>> >> but >> >>> the session is alive today as verified on Sun Jul >>> >> 8 at >> >>> 09:43:10 UTC 2007. The cookie for this PoC session >>> >> is >> >>> ... >>> >>> Name: orkut_state >>> Cookie: >>> >>> > ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=0:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1183210062:LCL=en-US:NET=1:TOS=1:GC=DQAAAIMAAAArC-mJYqsrCOnv8uVQHdFUccRFQX8-ibRerEzrie5sOWNc06zs4z4fMNpovLUyRcNXHwxk8WzY6Z6SmvxcSmL1hAW4Mrdvazzkssq5VjSO70oE1HSFR4KOkSb3ZLg-U7k0x8c7ZuLHwu_qY2Umy8oobckg9UctWXYd1qoerXUTzsFSuLNXHdiAEVCSw7fUO00:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:VER=2:S=1Ah7VcA0JetHQ0Mgyfp4Jb6meXw=: > >>> Domain: .www.orkut.com >>> Path: / >>> Send for: Any type of session >>> Expires: Expire at end of session >>> >>> This proves that the session remains alive for at >>> least 7 days after logging out. Steps to verify >>> this... >>> >>> 1.) Open Firefox, etc. which allows cookie >>> >> editing. >> >>> This extension is required... >>> https://addons.mozilla.org/en-US/firefox/addon/573 >>> >>> 2.) Set the given cookie. >>> >>> 3.) Try to visit http://www.orkut.com/Home.aspx >>> >>> 4.) You will be automatically logged in with my >>> account. It will not ask for any user-name or >>> password. >>> >>> 5.) Logout >>> >>> 6.) Repeat steps 1. to 4. You can log in again. >>> >>> I want to see how long this session remains alive >>> after multiple logout. If you try this POC leave a >>> message in the scrapbook of the account here ... >>> http://www.orkut.com/Scrapbook.aspx >>> >>> Thanks >>> Joseph >>> >>> >>> > > > > > > > ____________________________________________________________________________________ > Get the free Yahoo! toolbar and rest assured with the added security of spyware protection. > http://new.toolbar.yahoo.com/toolbar/features/norton/index.php > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google/Orkut Authentication/Session Management Issue PoC - Interim Results Joseph Hick (Jul 08)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Deeþàn Chakravarthÿ (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Joseph Hick (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Deeþàn Chakravarthÿ (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Neeraj Agarwal (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Susam Pal (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Joseph Hick (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Deeþàn Chakravarthÿ (Jul 10)