Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012

colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"

They know how cookies work right?

[jmauro]

It looks like they're exporting, deleting and then reimporting cookies before the cookies are set to expire. They can then get back into the site they just had access to. I fail to see how this "exploit" isn't actually the expected behavior of a properly functioning login tracked with a cookie.

Re:What?

[uglyduckling]

No. When you login, your session cookie should have an ID unique to that browser session. When you logout, it should cancel that ID at the server side, so even if the cookie persists it would be invalid. It seems like many websites are implementing this functionality by just deleting the session cookie when you logout. That's a problem.

Re:They know how cookies work right?

[bdwebb]

It may be a website problem but it becomes a consumer problem, especially when the method of payment stored on an account can potentially be utilized by re-using cookies.

Re: Let me get this straight

[chill]

No, it isn't. If you explicitly click "log out" it is supposed to log you out and you have to explicitly log back in.

"Remember me" is only supposed to keep you signed in if you don't explicitly log out, such as by just leaving the page or closing the browser.

Otherwise, how do you actually log out of a session?

Snowden leak: Microsoft added Outlook.com backdoor

[Anonymous Coward]

Not an exploit, just business as usual.

NSA praises Redmond for 'collaborative teamwork'
There are red faces in Redmond after Edward Snowden released a new batch of documents from the NSA's Special Source Operations (SSO) division covering Microsoft's involvement in allowing backdoor access to its software to the NSA and others.

Documents seen by The Guardian detail how the NSA became concerned when Microsoft started testing Outlook.com, and asked for access. In five months Microsoft and the FBI created a workaround that gives the NSA access to encrypted chats on Outlook.com. The system went live in December last year – two months before Outlook.com's commercial launch.

http://www.theregister.co.uk/2013/07/11/snowden_leak_shows_microsoft_added_outlookencryption_backdoor_for_feds/ [theregister.co.uk]

Re:They know how cookies work right?

[bdwebb]

WTF are you talking about? Your logic is that because of the functions of Malware is that many Malware programs install keystroke loggers, and because the AC post that I replied to mentioned keyloggers (even though he did not identify Malware), this somehow somehow refutes or invalidates my point??

Since you obviously don't know how this works, Malware has access to the user's machine; however, in most cases the author or distributor of the Malware DOES NOT HAVE ACCESS TO THE MACHINE (in other words, the 'You' that the OP referenced). The OP, which is most likely you posting AC, identified that this is not a vulnerability because you can already access the machine and install a keylogger to steal the password. I did not say that this was not possible - to make sure you understand, I will explain slowly. My statement means that Malware designed specifically to obtain cookies that has been installed can forward that information to an unauthorized destination and therefore this cookie can be taken advantage of to gain access to sensitive information or to ordering interfaces with stored credit cards...which is definitely a vulnerability completely independent of the physical or remote access style vulnerability that the OP referenced.

The vulnerability in question is the fact that a cookie can be copy-fucking-pasted and used as though the new location is the authorized, authenticated user with stored credit card information. I hope you are extremely high because your comment is probably one of the most idiotic that I've seen since I registered for Slashdot.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:2013

[amiga3D]

You ignore one obvious truth. With FOSS no matter how unlikely someone will look at the code it actually is a possibility that it will happen. With proprietary software there is no chance in hell. None. Nada. Zip! All kinds of nastiness hidden away and everyone knows their little nasty secrets are secure behind closed source. Proprietary software guarantees this kind of stuff will without any doubt happen. FOSS gives you a chance at least.