Cookie Attack can Hijack Accounts

Tuesday, March 26, 2013 @ 06:03 AM gHale


A vulnerability that could hijack accounts belonging to Microsoft, Twitter, LinkedIn and Yahoo users is now undergoing exploitation, a researcher said.

Google and Facebook customers are not suffering from the flaw.

RELATED STORIES
Huge Botnet Steals from Advertisers
Ramnit Malware Back, Better
Born Again Botnet Much Stronger
Life of a Botnet: Growth in Spurts

The vulnerability, which an attacker can leverage to launch session fixation attacks, is the result of a management issue dealing with cookies and sessions said security researcher Rishi Narang.

If an attacker can intercept authentication cookies, he can use them to hijack the account because although an expiry date is set, they’re still valid even after the customer logs out.

“The cookie/session ID for an authenticated session is available even after the session has been terminated. There are examples where cookies can be accessible to hijack authenticated sessions,” Narang said.

“And these cookies are days (sometimes months) old. As a result, someone can successfully access accounts that belong to individuals from different global locations. Even if they would have logged-in/logged out many a times, theirs cookie would still be valid.”



Leave a Reply

You must be logged in to post a comment.