Outlook.com cookie hijacking issue
Users of outlook.com or hotmail.com, Microsoft's two email services, should take note now. Information are stored in cookies when you use the site including whether you have successfully authorized your account or not. If the information is available, you can open and close both services without having to log in again to one of them. That's great as it is comfortable, but also problematic as it means that someone else can copy that cookie from your system to access your email account online without re-authorization.
What makes this particularly worrying is that logging out of the services does not invalidate the session information stored in the cookie. If someone exports the cookie when the session is still active, it continues to work after the user logged out on the PC and invalidated the session information saved to the cookie.
Here is a - silent - demo video that demonstrates how this works.
Note that the researchers are using the two add-ons Cookie Importer and Cookie Exporter for the Firefox web browser to export and import cookies on the fly.
The steps to reproduce the vulnerability as outlined by the researchers:
- Sign in to Outlook.com or Hotmail.com.
- Export the cookie that gets created during the process to your system. You can use the Firefox add-on for that, another browser extension or simply copy the cookie manually from the directory it has been stored in.
- Log out of Outlook or Hotmail.
- Import the cookie into another browser either by using the suggested Firefox extension, another browser add-on or manually copying it into the right directory.
- Load the outlook.com or hotmail.com website. You should notice that you are logged in automatically thanks to the cookie that you saved earlier.
Microsoft notes that some highly sensitive options on the site require re-authorization. This is for instance the case when you try to change the account password. What attackers can do however is read and send emails, delete emails or use other information that are lined to email accounts like resetting passwords for online services.
One could now say that physical access to the system is required to exploit this vulnerability and that's certainly correct up to a point. There may be other means to exploit this though, over a local network for instance or with the help of malware that exports session cookies and sends the data to the attacker.
It needs to be noted that Microsoft is not the only company that is affected by this. Google Drive for example faces a similar issue. When the software is running, you can click on links to open the Google Account on the web without re-authentication.
Can you protect your account against this attack? Not really. Email programs may help but the programs may not be available on all systems you work with. (via)
Advertisement
You said that Outlook isn’t your main email client, so which is your main one?
I think its thunderbird
It is Mozilla Thunderbird.
Awesome! This actually solved my problem… what a stupid bug.
If this is the same bug that I’ve encountered, there may be another fix: (1) hover over open Outlook item in Taskbar, cursor up to hover over Outlook window item, and right-click; (2) this should give you Restore / Move / Size / Minimize / Maximize — choose Move or Size; (3) use your cursor keys, going arbitrarily N/S/E/W, to try to move or size the Outlook window back into view. Basically, the app behaves as though it were open in a 0x0 window, or at a location that’s offscreen, and this will frequently work to resize and/or move the window. Don’t forget to close while resized/moved, so that Outlook remembers the size/position for next time.
THANK YOU Claude!!! I could get the main window to launch but could not get any other message window to show on the desktop. You are my hero!!!!
Solved my issue! 6 years later and this is still problem…
Fantastic. Thank you. Size did the trick.
This solved my Outlook problem, too. Thank you. :)
Thank you so much, this started happening to me today and was causing big problems. You are a life saver, I hope I can help you in some way some day.
You are a god – thank you!
thanks a lot…. work like charm.. :-)
Yah…thanks Claude. I’ve been having the same problem and tried all the suggestions…your solution was the answer. It had resized itself to a 0/0 box. Cheers
Excellent post. This had me baffled even trying to accurately describe the problem. This fixed it for me.
Thank you
Thanks a lot for the article. Don’t know why it happenend, don’t know how it got fixed, but it was really annoying and now it works :-)
Thanks a lot. I was facing this issue from past 3 week. I tried everything but no resolution. The issue was happening intermittently and mainly when I was changing the display of screen ( as i use 2 monitors). The only option i had was to do system restore. But thanks to you.
I’ve been tried to sole this problem for 12hours. Your comment about changing the display of screen helped me a lot!! Thanks!!
Thank you…don’t know why this happened but your instructions helped me fix it. Running Windows 10 and office pro 2007
Great tip! Thanks!
Worked for me, too – thank you!!!
It’s Worked for me, too
thank you very much!
I had a similar issue with Outlook 2013 on Windows 10 and this helped me to fix it. Thank you very much!
Thank you so much. Solved!
Considering you published this in 2012, incredible not been debugged by Microsoft.
Thank you again. M
This problem was faced by only one user logging to TS 2008 r2 using outlook 2010.The issue was resolved.
Thanks.
Great tip. Thank you!!!! If it helps, I had to use the Control Key and the arrow keys at the same time to bring my window back into view. Worked like a charm.
Thank you, this worked !!!!
Man, you are a fucking god. Thanks a lot, what an annoying bug!!
Awesome, this post solved the issue. Many thanks!