Re: Session Sidejacking in facebook

[adam <adam () papsy net>]

I was actually just kidding about releasing it to the list, but given the
nature of the vulnerability - the disclosure could have been a lot worse.

"Is this how it works in all social sites ?"

I've personally witnessed countless sites that authenticate a user based on
userID/token combination (and nothing else). Depending on the actual token
length, bruteforcing it is sometimes even possible.

"If the answer is yes, I will be highly doubtful of using internet at
any public place where sniffing or MITM attack is relatively simple to
make."

As you should be, but don't just apply it to social networking sites.

"Are there any measures to prevent it ?"

Servers/applications *could* do a little more to protect against it (e.g. X
token is only valid for Y IP, or by using flash cookies as part of the
authentication process, etc etc). The difference is, in your example, the IP
check wouldn't make a difference. Flash cookies aren't necessarily the best
route either, for compatibility and other reasons.

On the client side, I'd recommend using a secure VPN connection *any
time* you're
accessing the internet from a public place/network. You could do that,
tunnel over SSH, whatever. The point being: don't send unencrypted data
across public networks, unless privacy isn't important (e.g. browsing
Wikipedia).

On Sat, Jun 11, 2011 at 3:43 PM, Madhur Ahuja <ahuja.madhur () gmail com>wrote:

> Recently, there was a vulnerability discovered in LinkedIn, which is
> described here
> http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability/
>
> Basically, this allows someone in network to sniff a cookie value and
> apply it in his browses session to hijack the target's user session.
>
> This simple concept even works even in Facebook. I was able to hijack
> n number of user's session sitting in my university room in few
> minutes.
>
> For every POST request in facebook, similar cookie string is transmitted:
>
> Cookie: datr=09bXXXQ2oOgQuUK0yAzK_JU9; lu=wgj9pmpkAsdXXXTp5vthfh2w;
> locale=en_US; L=2; act=13078123502562F3; c_user=xxxxxx;
> sct=1123416461; xs=603Afe43db8a71239bd8d7b2a831xxx6241f;
>
> presence=EM307818375L26REp_5f123422481F22X3078XXX1367K1H0V0Z21G307818375PEuoFD769839560FDexpF1307818409174EflF_5b_5dEolF-1CCCC;
> e=n
>
> I was able to hijack the remote user's session by just placing the
> value of 2 cookies: c_user (which is obviously user id) and xs (seems
> like auth token) in my browser session.
>
> Step by step POC:
> http://madhur.github.com/blog/2011/06/12/facebooksessionhijacking.html
>
> Cookie: datr=09bXXXQ2oOgQuUK0yAzK_JU9; lu=wgj9pmpkAsdXXXTp5vthfh2w;
> locale=en_US; L=2; act=13078123502562F3; c_user=xxxxxx;
> sct=1123416461; xs=603Afe43db8a71239bd8d7b2a831xxx6241f;
>
> presence=EM307818375L26REp_5f123422481F22X3078XXX1367K1H0V0Z21G307818375PEuoFD769839560FDexpF1307818409174EflF_5b_5dEolF-1CCCC;
> e=n
>
> Is this how it works in all social sites ?
>
> If the answer is yes, I will be highly doubtful of using internet at
> any public place where sniffing or MITM attack is relatively simple to
> make.
>
> Are there any measures to prevent it ?
>
> Madhur
> http://madhur.github.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/