Cookie Re-Use in Office 365 and Other Web Services

Topics

Hacking into my American Express Account Without a Password

Note: I just tested it with a time delay, and the stolen cookie stops working after ten minutes of inactivity, so that lowers the risk to some extent. -- Added 11:19 am 7-23-13

Hacking into my Chase Account Without a Password

Note: I just tested it with a time delay, and the stolen cookie stops working after ten minutes of inactivity, so that lowers the risk to some extent. -- Added 2:07 pm 7-23-13

Background

In 2012, The Hacker News posted this article showing that stolen cookies can be re-used in Hotmail and outlook.com. I wondered if it was still true, and I easily reproduced it using Chrome and the Edit This Cookie Extension.

Why this is Important

There are many ways of stealing cookies; XSS, malware, or just stealing your phone. And the person with the cookie can still use your account after you log off. Office365 even lets attackers continue to use old cookies after you change your password, and after copying the cookies to a different machine.

So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking attackers.

Why doesn't logging off cancel the cookie? That is obviously the intent of the user who clicks it. This seems like a bug to me. However, Microsoft was notified last year and decided they like it this way, as detailed in the Hacker News article.

Please Help

Please test more services and tweet results to me @sambowne

Click here for step-by-step instructions.

Here is the list of sites I and others have tested so far.

BAD
Allow Cookie Re‑Use

GOOD
Deny Cookie Re‑Use

Financial

American Express (E)
Chase (E)
Discover Card (J)
@askRegions Bank (I)
TDbank (G)
Bank of America (L)
Arizona Federal Credit Union (L)
@BECU (O)

Shopping

Amazon (A C)
IBM (including Many Eyes)
NetFlix (F)
TigerDirect (A C)
Woot (M)
Adobe
Craigslist
Travelocity
Newegg (N)

Email & Social

Chrome App Store (A C G H)
Flickr
iCloud (C K)
LinkedIn
Live.com
Office 365 (A B)
Soundcloud (G)
Stumbleupon
Twitter (C K)
Wordpress
Yahoo mail
YouTube (D G H)
Facebook
Gmail
Tweetdeck

News

Forbes
The Guardian
Huffington Post
The New York Times
Reddit
The Register
Ars Technica
Slashdot

Security

Packet Storm (G)
Cloudflare (Fixed on 7-25-13)
(ISC)^2
LastPass
Mitto
My1Login
Need My Password
Passpack

Others

CourseSmart
Github
NameCheap (I)
Vimeo
Waze
WHMCS (G)
alpha.app.net (tested by @nicoduck)
Dropbox
Godaddy
Insight (CCSF's Online Course System)

Notes

A Cookie still works after password reset! (ty @dakami for asking this question)
B Cookie still works when copied to another machine (ty @0x90NOP and @winremes for asking this question)
C Cookie still worked after 12 hours logged out
D Cookie no longer worked after 12 hours logged out
E Cookie expires after 10 minutes
F Tested by @privacyfanatic
G Tested by @_KrypTiK
H Verified by @sambowne
I Tested by @jTizYl
J Tested by Julie Hietschold
K Password reset invalidates old cookie
L Tested by Hector Acencio
M Tested by @NDRoughneck
N Tested by @splint3rz
O Tested by @vaha

ASP.NET and Cookie Re-Use

I got this message from Richard Turnbull after my Defcon 21 talk with Matthew Prince:
"Re: the ineffective logout mechanisms you were talking about...ASP.NET's forms authentication function exhibits the behaviour you were describing (i.e. only invalidating the cookie on the client side at logout). This is definitely a bad idea (which is of course the point you were making) but I guess it is part of the reason why so many sites have this issue (in particular I remember seeing Office365 and another Microsoft site on your list - they may well be using ASP.NET).

We often report this issue when doing web application assessments for our clients, but without any real expectation that they'll do anything about it (because they'd either have to stop using ASP.NET forms auth or somehow persuade Microsoft to fix it!)"

From: Richard Turnbull, Principal Security Consultant, NCC Group


Step-by-Step instructions

1. Log in to Office 365 (or the other site you are testing)

Your name appears in the upper right corner, as shown below, and your emails are visible.

2. Save the URL

The URL of this page is different from the URL of the login page.

Add this page to your Favorites, or make some other record of its URL.

3. Export Cookies

Click the cookie icon, and click "Export cookies". A message pops up saying "Cookies copied to clipboard" as shown below:

4. Log Out

You now see the login screen, and your emails are no longer visible.

5. Return to the URL

Click the Favorite you made in step 2. As expected, that page does not show your emails anymore--it just redirects back to the login page.

6. Import Cookies

Click the cookie icon, and click "Import cookies".

A box appears saying "Paste here the cookies to import". Paste the cookies there, as shown below (I redacted the image, since anyone with this data can apparently get into my Office 365 account.)

Then click the "Submit cookie changes" button.

7. Return to the URL Again

Click the Favorite you made. If the site is vulnerable, you'll see your personalized page, as shown below.

If the site is not vulnerable, you will see a logon page.

Media Coverage

This issue has been published by @privacyfanatic in Network World!


Changelog

Posted 12:23 pm 7-15-13 by Sam Bowne
Yahoo and Gmail test added 1:36 PM
More services added 6:24 pm 7-15-13
Reformatted 6:35 pm
More sites added 9:50 pm
iCloud and NetFlix added 11:26 am 7-16-13
Live.com, Dropbox, Box, GitHub, and Cloudflare 2:33 pm 7-16-13
Edit 3:05 PM
Password reset for Office 365 tested 3:28 pm 7-16-13
Copying to another machine tested 3:41 pm 7-16-13
Added Insight, Waze 4:04 pm 7-16-13
Format changed 6:13 pm 7-16-13
Passsword managers added 10:40 am 7-17-13
app.net added 11:10 am 7-17-13
Added many news sites 8:18 am 7-19-13
Discover added 4 pm 7-21-13
IBM, Reddit, Adobe, and Flickr added 1:50 pm 7-22-13
Reformatted 6:05 pm 7-22-13
Videos added with Chase and AmEx vulnerabilities 0:00 am 7-23-13
AmEx's ten-minute logout added 11:57 am 7-23-13
Chase's ten-minute logout added 2:06 pm 7-23-13
NameCheap and @askRegions Bank added 2:35 pm 7-23-13
Adobe moved from Bad to Good 11:36 am 7-24-13
Soundcloud added 12:14 pm 7-25-13
YouTube, Chrome, and TDbank added 12:47 pm 7-25-13
WHMCS added 2:09 pm 7-25-13
Packet Storm added 6:30 pm 7-25-13
Cloudflare moved to GOOD 7:23 pm 7-25-13
Duplicate of Vimeo removed 8:02 PM 7-25-13
Reformatted, 12 hr. test notes added 8:40 am 7-26-13
Note from Richard Turnbull added; "Topics" section added 11:36 am 8-3-13
Updated 1:12 pm 8-7-13 with L and M info
Updated 1:33 pm 8-8-13 with N info
Updated 11:42 am 8-13-13 with O info