Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Google/Orkut Authentication/Session Management Issue PoC - Interim Results

From: Deeþàn Chakravarthÿ <codeshepherd () gmail com>
Date: Tue, 10 Jul 2007 17:06:09 +0800
Joseph Hick wrote:

If you sign into orkut.com then enter orkut in the
filter box then you will see some orkut cookies. Look
for orkut_state in www.orkut.com site.

It will work if you are logged in. if you log out
orkut_state cookie disappears but the session remains
active in orkut.com server. So a big problem is
happening in orkut. when attackers stole some cookies
using XSS attacks earlier they were misusing the
accounts after owner of account logged out. This
problem is happening because after owner of account
logged out the session remained active.

In other sites like yahoo this is not possible because
the session deactivates in the server after owner of
account logs out.

  

Hi Joseph,
  Thanks, I was looking for the cookie after logging off. 
Thanks
Deepan

--- Deeþàn Chakravarthÿ <codeshepherd () gmail com>
wrote:
  

It works great. But I am not able to find a similar
cookie for my account.
Am I missing something ?

Thanks
Deepan

    



  

Joseph Hick wrote:
    

This is the interim result of a proof of concept
      

for
    

Google Authentication issues posted in the
      

threads...
    

1.)

      

http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html
  

(Orkut Server Side Management Error by Susam Pal &
Vipul Agarwal)

2.)

      

http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html
  

(Google Re-authentication Bypass by Susam Pal)

A session was created in Orkut at about Sat Jun 30
20:30 UTC 2007. Between June 30 and now many have
hijacked this session and logged out many times
      

but
    

the session is alive today as verified on Sun Jul
      

8 at
    

09:43:10 UTC 2007. The cookie for this PoC session
      

is
    

...

Name: orkut_state
Cookie:

      

ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=0:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1183210062:LCL=en-US:NET=1:TOS=1:GC=DQAAAIMAAAArC-mJYqsrCOnv8uVQHdFUccRFQX8-ibRerEzrie5sOWNc06zs4z4fMNpovLUyRcNXHwxk8WzY6Z6SmvxcSmL1hAW4Mrdvazzkssq5VjSO70oE1HSFR4KOkSb3ZLg-U7k0x8c7ZuLHwu_qY2Umy8oobckg9UctWXYd1qoerXUTzsFSuLNXHdiAEVCSw7fUO00:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:VER=2:S=1Ah7VcA0JetHQ0Mgyfp4Jb6meXw=:
  

Domain: .www.orkut.com
Path: /
Send for: Any type of session
Expires: Expire at end of session

This proves that the session remains alive for at
least 7 days after logging out. Steps to verify
this...

1.) Open Firefox, etc. which allows cookie
      

editing.
    

This extension is required...
https://addons.mozilla.org/en-US/firefox/addon/573

2.) Set the given cookie.

3.) Try to visit http://www.orkut.com/Home.aspx

4.) You will be automatically logged in with my
account. It will not ask for any user-name or
password.

5.) Logout

6.) Repeat steps 1. to 4. You can log in again.

I want to see how long this session remains alive
after multiple logout. If you try this POC leave a
message in the scrapbook of the account here ...
http://www.orkut.com/Scrapbook.aspx

Thanks
Joseph

  
      


  



       
____________________________________________________________________________________
Get the free Yahoo! toolbar and rest assured with the added security of spyware protection.
http://new.toolbar.yahoo.com/toolbar/features/norton/index.php

  


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: