This Friday I was with my co-security researcher "Christy Philip Mathew" and we were there in THN Lab for analyzing Cookie Handling Vulnerability in the most famous email services, Hotmail and Outlook. Both are merged now and belongs to same parent company - Microsoft.
Vulnerability allow attacker to Hijack accounts in a very easy way just by exporting & importing cookies of an user from one system to attacker's system and even after logout by victim ,attacker is able to reuse cookies at his end. There are different way of stealing cookies, that we will discus below.
Last Year in May 2012, another Indian security researcher Rishi Narang claimed similar vulnerability in Linkedin website.
Vulnerability Details
Microsoft like many websites uses cookie where the session information is stored in the users web browser. Cookies are responsible for maintaining a session in machines. Once a user logout from a PC the session cookies should be invalidated and cannot be reused.
But in case of Hotmail and Outlook even after logout, one can use same cookies again to authenticated the session without using password login.
Proof of Concept
To Demonstrate this loophole, first of all readers should know about cookie importing and Exporting. A serious technical step ? No , one just need a Firefox addon called 'cookie-importer' (download) for importing and 'Cookie Exporter' (download) for exporting cookies in browser.
Step one, login to your Hotmail OR Outlook email account, go to cookie-exporter and save the file in your system, then logout your account (as shown below)
Step 2, Go to another browser or any other system, there you should have cookie-importer to import cookies this time. Select the file and import.
Step 3, Once imported, just open outlook.com or hotmail.com in your browser and you can see that victim's account will login automatically, using same cookies.
Video Demonstration : click here for video
Working Live Example for Readers
For a live working demo for our readers, we have created an account on outlook.com , where email is test_security0@outlook.com and password is .....? Nahh you don't that !
We have export cookies of our account in a text file and readers can download cookies.txt file 'Here'. Once you (attacker) have cookies, can go to your browser and import cookies using addon as shown above, after that visit outlook.com - then 'let me know via comments on this post' what you have !
Why researcher choose Public disclosure ?
Being a responsible Security News portal 'The Hacker News' always suggest hackers and researchers to first report only to the vendor about each possible vulnerability . We are just reporting this bug exclusive first time, but a one month old article is also available on his website, where he already explained all about this (but secretly).
In this case also, Christy had reported to the Microsoft Security Team and received the following response
Microsoft Security Team close the ticket just by saying that, cookies are transferred over HTTPS in encrypted manner and password of the account can not be changed without re-authentication . Researchers accept that its not any serious vulnerability, so Christy choose Public disclosure.
But I didn't get one thing, either Microsoft team didn't understand the impact factor or they don't want to ? Why one need to change the password, if he can access mails, can delete, send, backup with just cookies!
Possible Implementations of Account Hijacking
At the end, most important part, how to steal cookies ? A cookie is usually a small piece of data sent from a website and stored in a user's web browser. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.
Because cookies having a parameter called 'domain' which is equals to the domain name of the website that is creating cookies in browser and only same domain is able to read respective cookies from browser.
There are various ways, attacker can steal cookies depending upon various factors:
1.) Having physical access to victim's system (Success Rate - 100%): As shown above, if the attack has got the physical access to victim's system, one can easily export cookies of an logged-in account to a text file and then can take it to another system for reusing that.
If one have physical access, he can do many more things, then why just stealing cookies ? The point is, once attacker has the cookies, he can reuse it again and again that for re-authentication , even after victim logout the session from his end any number of times.
2.) Victim and Attacker are in same Network (Success Rate - 50%): If attacker and victim are using same lan/wifi network, Man-in-the-middle attack can do this sort of thing using SSL strip like tools.
One of the best and portable tool for performing session / cookies hijacking overs HTTPS is possible via an Android penetration testing application called "dSploit" , having option "Session Hijacker" in that. There are lots of similar tools available for this purpose.
3.) Cross site scripting in Hotmail and Outlook (Success Rate - 100% if xss exist): Internet giant companies like Google, Paypal, Facebook pay thousands of dollars as bug bounty for Cross site scripting because these vulnerabilities can be used to steal user cookies for account hijacking. Same way, if some hacker discovers XSS vulnerability in Hotmail or Outlook in future, he will be able to steal cookies by crafting malicious links.
In this method, the combination of cross site scripting vulnerability and Cookie Handling Vulnerability will lead to account hijacking of Hotmail and Outlook.
A few days back, an unknown hacker was selling an exploit in $700 that allows individuals to hijack a Yahoo! email account, in that case hacker was using a cross site scripting in one of the domain of Yahoo website.
4.) Malwares and Stealer (Success Rate - 100%): Victim PC can be in hacked using a Auto Cookie stealing Malware (that is currently under beta testing in by the team) or any RAT tool can allow attacker to get your cookies remotely.
Vulnerability Timeline
Vulnerability Discovered - 11 Nov 2012
Vulnerability Reported - 11 Nov 2012
Reply from vendor - 12 Dec 2012
Vulnerability Public Disclosure - 14 Dec 2012
We hope, Microsoft will take the issue seriously as soon as possible to fix the issue!
No comments:
Post a Comment