Full Disclosure mailing list archives
Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results
From: Susam Pal <susam () susam in>
Date: Wed, 11 Jul 2007 00:34:53 +0530
An Orkut session cookie once stolen can be used by an attacker to mess with the compromised account as long as the session associated with that cookie remains alive at the server. Unfortunately, in case of Orkut, it remains alive even after the user has logged out. Joseph's experiment proves that it takes a pretty long time for the session to expire. So, the user of a compromised account has to either wait for the session to expire or hope that Google does something to terminate the sessions of the users who have logged out. Regards, Susam Pal http://susam.in/ Neeraj Agarwal wrote, On Tuesday 10 July 2007 02:44 PM:
my firnd got my session cookie a day before yesterdy.. is there any method i can stop him by using my orkut account? On 7/10/07, *Deeþàn Chakravarthÿ* < codeshepherd () gmail com <mailto:codeshepherd () gmail com>> wrote: Joseph Hick wrote: > If you sign into orkut.com <http://orkut.com> then enter orkut in the > filter box then you will see some orkut cookies. Look > for orkut_state in www.orkut.com <http://www.orkut.com> site. > > It will work if you are logged in. if you log out > orkut_state cookie disappears but the session remains > active in orkut.com <http://orkut.com> server. So a big problem is > happening in orkut. when attackers stole some cookies > using XSS attacks earlier they were misusing the > accounts after owner of account logged out. This > problem is happening because after owner of account > logged out the session remained active. > > In other sites like yahoo this is not possible because > the session deactivates in the server after owner of > account logs out. > > Hi Joseph, Thanks, I was looking for the cookie after logging off. Thanks Deepan > --- Deeþàn Chakravarthÿ <codeshepherd () gmail com <mailto:codeshepherd () gmail com>> > wrote: > >> It works great. But I am not able to find a similar >> cookie for my account. >> Am I missing something ? >> >> Thanks >> Deepan >> >> >> Joseph Hick wrote: >> >>> This is the interim result of a proof of concept >>> >> for >> >>> Google Authentication issues posted in the >>> >> threads... >> >>> 1.) http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html <http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html> > >>> (Orkut Server Side Management Error by Susam Pal & >>> Vipul Agarwal) >>> >>> 2.) http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html > >>> (Google Re-authentication Bypass by Susam Pal) >>> >>> A session was created in Orkut at about Sat Jun 30 >>> 20:30 UTC 2007. Between June 30 and now many have >>> hijacked this session and logged out many times >>> >> but >> >>> the session is alive today as verified on Sun Jul >>> >> 8 at >> >>> 09:43:10 UTC 2007.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google/Orkut Authentication/Session Management Issue PoC - Interim Results Joseph Hick (Jul 08)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Deeþàn Chakravarthÿ (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Joseph Hick (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Deeþàn Chakravarthÿ (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Neeraj Agarwal (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Susam Pal (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Joseph Hick (Jul 10)
- Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results Deeþàn Chakravarthÿ (Jul 10)