Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results

[Susam Pal <susam () susam in>]

An Orkut session cookie once stolen can be used by an attacker to mess
with the compromised account as long as the session associated with that
cookie remains alive at the server. Unfortunately, in case of Orkut, it
remains alive even after the user has logged out.

Joseph's experiment proves that it takes a pretty long time for the
session to expire. So, the user of a compromised account has to either
wait for the session to expire or hope that Google does something to
terminate the sessions of the users who have logged out.

Regards,
Susam Pal
http://susam.in/

Neeraj Agarwal wrote, On Tuesday 10 July 2007 02:44 PM:
> my firnd got my session cookie a day before yesterdy..
> is there any method i can stop him by using my orkut account?
>
> On 7/10/07, *Deeþàn Chakravarthÿ* < codeshepherd () gmail com 
> <mailto:codeshepherd () gmail com>> wrote:
>
>     Joseph Hick wrote:
>      > If you sign into orkut.com <http://orkut.com> then enter orkut in the
>      > filter box then you will see some orkut cookies. Look
>      > for orkut_state in www.orkut.com <http://www.orkut.com> site.
>      >
>      > It will work if you are logged in. if you log out
>      > orkut_state cookie disappears but the session remains
>      > active in orkut.com <http://orkut.com> server. So a big problem is
>      > happening in orkut. when attackers stole some cookies
>      > using XSS attacks earlier they were misusing the
>      > accounts after owner of account logged out. This
>      > problem is happening because after owner of account
>      > logged out the session remained active.
>      >
>      > In other sites like yahoo this is not possible because
>      > the session deactivates in the server after owner of
>      > account logs out.
>      >
>      >
>     Hi Joseph,
>       Thanks, I was looking for the cookie after logging off.
>     Thanks
>     Deepan
>      > --- Deeþàn Chakravarthÿ <codeshepherd () gmail com
>     <mailto:codeshepherd () gmail com>>
>      > wrote:
>      >
>      >> It works great. But I am not able to find a similar
>      >> cookie for my account.
>      >> Am I missing something ?
>      >>
>      >> Thanks
>      >> Deepan
>      >>
>      >>
>      >> Joseph Hick wrote:
>      >>
>      >>> This is the interim result of a proof of concept
>      >>>
>      >> for
>      >>
>      >>> Google Authentication issues posted in the
>      >>>
>      >> threads...
>      >>
>      >>> 1.)
>     http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html
>     <http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html>
>      >
>      >>> (Orkut Server Side Management Error by Susam Pal &
>      >>> Vipul Agarwal)
>      >>>
>      >>> 2.)
>     http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html
>      >
>      >>> (Google Re-authentication Bypass by Susam Pal)
>      >>>
>      >>> A session was created in Orkut at about Sat Jun 30
>      >>> 20:30 UTC 2007. Between June 30 and now many have
>      >>> hijacked this session and logged out many times
>      >>>
>      >> but
>      >>
>      >>> the session is alive today as verified on Sun Jul
>      >>>
>      >> 8 at
>      >>
>      >>> 09:43:10 UTC 2007. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/