Outlook.com cookie hijacking issue
Users of outlook.com or hotmail.com, Microsoft's two email services, should take note now. Information are stored in cookies when you use the site including whether you have successfully authorized your account or not. If the information is available, you can open and close both services without having to log in again to one of them. That's great as it is comfortable, but also problematic as it means that someone else can copy that cookie from your system to access your email account online without re-authorization.
What makes this particularly worrying is that logging out of the services does not invalidate the session information stored in the cookie. If someone exports the cookie when the session is still active, it continues to work after the user logged out on the PC and invalidated the session information saved to the cookie.
Here is a - silent - demo video that demonstrates how this works.
Note that the researchers are using the two add-ons Cookie Importer and Cookie Exporter for the Firefox web browser to export and import cookies on the fly.
The steps to reproduce the vulnerability as outlined by the researchers:
- Sign in to Outlook.com or Hotmail.com.
- Export the cookie that gets created during the process to your system. You can use the Firefox add-on for that, another browser extension or simply copy the cookie manually from the directory it has been stored in.
- Log out of Outlook or Hotmail.
- Import the cookie into another browser either by using the suggested Firefox extension, another browser add-on or manually copying it into the right directory.
- Load the outlook.com or hotmail.com website. You should notice that you are logged in automatically thanks to the cookie that you saved earlier.
Microsoft notes that some highly sensitive options on the site require re-authorization. This is for instance the case when you try to change the account password. What attackers can do however is read and send emails, delete emails or use other information that are lined to email accounts like resetting passwords for online services.
One could now say that physical access to the system is required to exploit this vulnerability and that's certainly correct up to a point. There may be other means to exploit this though, over a local network for instance or with the help of malware that exports session cookies and sends the data to the attacker.
It needs to be noted that Microsoft is not the only company that is affected by this. Google Drive for example faces a similar issue. When the software is running, you can click on links to open the Google Account on the web without re-authentication.
Can you protect your account against this attack? Not really. Email programs may help but the programs may not be available on all systems you work with. (via)
Advertisement
I use Outlook.com and was surprised to learn this when I had raised my cookie privacy settings in IE 10. Not sure what to think about this? Again I think these services create easy access services to attract users who don’t want to have to reenter information every time they visit a site. But it seems those helper features create some potential for security concerns.
So is this the reason why corporates are worried about moving their email to cloud (SaaS)? Does this vulnerability affect Office 365 or Google App for Business? Or the big boys already knew this loop hole but choose not to panic the buyers.
Unfortunately, this practice is not uncommon for big providers of online services (including email). It is a very bad practice from a security point of view, but I suspect that this happens not because the big companies are not able to do it in a more secure way, but because it is more convenient. And nobody will ask you, the user, if you care about security or not, they will decide for you.
What amazes me though is that all these companies believe that all the network path between you and them is secure (or they consider that the risk of being compromised is very low, which is not).
Well, I have installed around 200 security hotfixes for Windows 7, and would probably have installed at least another hundred hotfixes for MS Office, if I used it… which I don’t. So, I’m not the least bit surprised that Microsoft embarrasses itself again with another security blunder with it’s web based email. It puzzles me how the world’s number one software company seems so incapable of producing a product that is secure out of the box.
Isn’t this the case for all services that don’t bind your session to your current IP address?
I would imagine that many services store the information about successful authentication in a cookie. When you log out the cookie gets cleared. (Doesn’t help when the cookie gets copied earlier.)
I don’t know if other services check for cookies (client side) and remember (server side) that the user logged out. (Signing in again would reset the server side logged out flag).
The right way to do it is making sure you always invalidate the session (server side) when users logout; only deleting the cookie is quite a mistake…
and it is unacceptable from big serious companies like microsoft…
You are right about that.
in setting “keep cookies until I close firefox” should help.
other browsers should have settings like this too.
Ash, not if the cookie gets stolen during your session.
+1
Which we has seen in the past is very easy to accomplish by anyone, with apps like Firesheep
or BlackSheep…