Thursday, February 28, 2008
Wednesday, February 20, 2008
Orkut cookie Vulnerability
If you wonder on the gmail cookie vulnerability exposed by sidejacking, orkut has things easier for you! All you need is to sniff some packet, get the cookie out of it, set in and your are done.
Orkut login works over a secure SSL channel but after the login, its falls back to non secure traffic. Another example of "secure login - unsecure data". Even during the login, orkut cookie is set using non secure channel. Only to set gmail cookies (LSID, GALX), its uses secure HTTPS.
Orkut uses two cookies - orkut_state and OSN for validating the login. If one can sniff or get these two cookies (using wireshark , sidejacking or by some other way), they can add them in the browser (using firefox cookie editor or some other tool) and finally open orkut website. This will log you in directly into victim's account. Once logged in, you can act as victim, view his/her gmail address book and may be much much more !!
How Orkut gmail login works:
When you use your gmail account to login to orkut, its redirected to google mail redirect login page, which sets orkut cookie over HTTP and gmail cookie (LSID and few others) over secure SSL. So even if SSL is enabled and sidejacked is not possible for google mail account, you can still login to orkut account.
Few snapshots to show this (actual cookie data is hidden. I can't decipher it, but just in case someone could ;-)
Some one captures the packet:
(Packet data captured using wireshark. Here we can get all cookies requied (in just one captured packet).)
Add the cookie in his browser cookie:
(Added the cookies using cookie editor)
And that's it. Now when he open orkut.com, he will gain access your account.
Point is you can not secure accounts by only using secure login. In order to be completely secure, all data should be transfered using a secure channel (with no fall back to non secure if SSL fails).
Subscribe to:
Posts (Atom)