Users of outlook.com or hotmail.com, Microsoft's two email services, should take note now. Information are stored in cookies when you use the site including whether you have successfully authorized your account or not. If the information is available, you can open and close both services without having to log in again to one of them. That's great as it is comfortable, but also problematic as it means that someone else can copy that cookie from your system to access your email account online without re-authorization.
What makes this particularly worrying is that logging out of the services does not invalidate the session information stored in the cookie. If someone exports the cookie when the session is still active, it continues to work after the user logged out on the PC and invalidated the session information saved to the cookie.
Here is a - silent - demo video that demonstrates how this works.
Note that the researchers are using the two add-ons Cookie Importer and Cookie Exporter for the Firefox web browser to export and import cookies on the fly.
The steps to reproduce the vulnerability as outlined by the researchers:
Microsoft notes that some highly sensitive options on the site require re-authorization. This is for instance the case when you try to change the account password. What attackers can do however is read and send emails, delete emails or use other information that are lined to email accounts like resetting passwords for online services.
One could now say that physical access to the system is required to exploit this vulnerability and that's certainly correct up to a point. There may be other means to exploit this though, over a local network for instance or with the help of malware that exports session cookies and sends the data to the attacker.
It needs to be noted that Microsoft is not the only company that is affected by this. Google Drive for example faces a similar issue. When the software is running, you can click on links to open the Google Account on the web without re-authentication.
Can you protect your account against this attack? Not really. Email programs may help but the programs may not be available on all systems you work with. (via)
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.