A weakness in the way cookies are handled in many web services, including Microsoft Office 365, Yahoo mail, Twitter, Apple iCloud, LinkedIn and Netflix, could enable attackers to gain access to accounts after a user has logged out. According to researcher and City College San Francisco professor Sam Bowne, a longstanding cookie reuse flaw creates “the opposite of security,” blocking authorized users while enabling someone with stolen cookies to log in.
The flaw was originally reported as an issue with Microsoft’s Hotmail and Outlook services last year by The Hacker News, while an independent researcher also discovered a similar problem with LinkedIn. Essentially, it’s possible to export cookies while logged into an Office 365 account or another vulnerable service by using a browser add-on. Even after the user logs out, these cookies can be imported and used to log in again. As a result, all an attacker has to do is steal these cookies, which Bowne noted is not prohibitively difficult.
“There are many ways of stealing cookies; XSS, malware or just stealing your phone. And the person with the cookie can still use your account after you log off,” he wrote on his website. “So the ‘Log off’ feature is the opposite of security – blocking the authorized user but not blocking the attacker. Why doesn’t logging off cancel the cookie? That is obviously the intent of the user who clicks it. This seems like a bug to me.”
Responding to the threat
Network World noted that Microsoft was alerted of the vulnerability when The Hacker News reported it last year and that it closed the security investigation, defining the flaw as a “known issue.” The company also observed that the flaw would not allow an attacker to change an account password due to the way authorization cookies are transferred, limiting its effectiveness.
Nonetheless, such a flaw could prove to be a useful espionage tool, Network World explained. Organizations looking to protect themselves against enabling such a feature inadvertently can strengthen software security using tools such as static analysis software, which allows developers to catch errors before they are released. By scanning for flaws, organizations can place themselves in a better position to protect their users’ personal information.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.