Office 365, Amazon, Others Vulnerable To Exploit Microsoft Knew About In 2012 125
colinneagle writes "Ethical hacking professor Sam Bowne recently put a cookie re-use method to test on several major web services, finding that Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress all failed the security test. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. And, just for kicks, we tried it with Netflix. And it worked. Microsoft has apparently known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability, so Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He claims he 'easily reproduced it using Chrome and the Edit This Cookie extension.'"
2013 (Score:1, Interesting)
The year we ban non open sourced softwares as a global threat to humanity.
Re:They know how cookies work right? (Score:3, Interesting)
Yahoo mail auth cookies are stolen by ads on a regular basis and used to send spam as an authorized Yahoo user. It's been going on for a long time and still happens every day.
Re:What? (Score:4, Interesting)
So if I login to GMail with my phone and my desktop, if I log off on my desktop it should kill my phone too? How the hell is that better?
If you log in to GMail twice, you get two different cookies. In a sane world, when you hit "logout", the specific cookie gets invalidated and you have to log in again on that device if you want back in. Hotmail (seemingly unlike GMail) does not exist in a sane world.
Re:Let me get this straight (Score:2, Interesting)
You can have multiple sessions per cookie. This is how you are able to go back to a site when you've asked it to Remember your login and be logged in automatically. No one in their right mind is going to have a server keep a session open occupying resources for days at a time. Sessions are pretty temporary, whereas cookies for automatic login usually don't expire for a couple of weeks.
The more likely issue is that the ID of the cookie should be tracked in a database, and logoff should invalidate it so that it will not be accepted in the future.
What has this got to do with Microsoft? (Score:3, Interesting)
Is this entire article some kind of joke? If you have physical access to a machine and are able to "steal" the cookies from their logged in browser session, then on another machine replicate that browser session and utilize that same logged in cookie so that the site can't tell the difference between the machine you HAVE PHYSICAL LOGGED-IN ACCESS TO and the replicated session, so you're able to continue using the site? Isn't this behaviour "as intended"?
This would only be a "flaw" if another site could remotely copy my cookies and continue my session 'as me'. (Well, actually, I have Java installed, so they probably can *cough*). Otherwise, it's exactly how a logged in cookie is meant to work. The only tacit connection to "Microsoft" seems to be that "Microsoft, like some other companies.. have websites on the internet."
Actually, the fact that Microsoft requires re-authentication to make any account changes is actually a good thing. The article makes some excuse about "what's the use of that if they're already able to read the emails with the logged in cookie", to which I counter - YES, OR.. YOU KNOW.. READING THE EMAILS ON THE LOGGED IN SESSION YOU ALREADY HAVE ON THE ORIGINAL MACHINE IN FRONT OF YOU.
Re:They know how cookies work right? (Score:3, Interesting)
I don't know if this is true, but I get a LOT of spam from legit Yahoo servers, some of it occasionally from accounts of people I know who can't seem to keep their password secret, so that does lend a lot of credibility to this. I actually get quite a lot of spam (usually ~300 items per day to my main account alone) and with the exception of only Yahoo, HSBC and DNB, all of the rest has plainly come from spoofed/forged email servers.
any NSA backdoor in FOSS yet? I've studied Firefox (Score:5, Interesting)
We know Microsoft is full of NSA backdoors. Has any government backdoor EVER been found in any FOSS, at any time. Nope.
The insistence on continuing to believe the ridiculous out of fandom is rather curious. Certainly on some level you understand your "beliefs" are laughable, but you're just completely incapable of changing your thoughts, of learning.
Re:2013 (Score:4, Interesting)
The other big advantage with FOSS is that the change and commit logs are publicly accessible. If you introduce a backdoor in a FOSS product you can't hide behind a corporation. Your own name is tied to that backdoor. This is a strong disincentive; decades of social, economic, and criminal studies prove that.