Orkut Server Side Session Management Error

The most recent version of this document is available at:-
http://susam.in/security/advisory-2007-06-22.txt

Release date:-
22 June, 2007

Type:-
Session management error

Authors:-
Susam Pal, Vipul Agarwal

Researchers:-
Susam Pal, Vipul Agarwal, Gaurav Mogre
(Gaurav's input is present in this advisory even though he could not
play a role in writing this advisory.)

Description of normal logout:-
On a successful login, Orkut sets a client side session cookie called
'orkut_state' to keep track of sessions. When a user logs out, the
client side cookie is deleted.

Description of unsuccessful authentication during a session:-
When a user fails to authenticate himself during a session (say, while
deleting a community), the user is redirected to a login page where he
has to enter his password to reauthenticate himself. The user is not
required to enter his user-name again. The user-name is already shown on
the login page and the user is required to enter the password only. In
this case, the client side cookie is not deleted in order to keep track
of the user re-authenticating himself.

Vulnerability:-
Orkut fails to expire or disable the session associated with the
'orkut_state' cookie when the user logs out or fails to authenticate
himself during a session.

Impact:-
1. If an attacker manages to steal this cookie from another user, he
   can gain access to the compromised account even after the user has
   logged out since the session associated with it is still alive at
   the server side.
2. In case of unsuccessful authentication during a session, when the
   user finds himself logged out, if he leaves the browser unattended,
   a trespasser can login to his account simply by entering a valid URL
   for his account or clicking the 'Home' link.

Previous advisory:-
Net-Square Solutions Pvt. Ltd. reported a similar issue to Google on
10 February, 2006 and released an advisory on 31 January, 2007 which
reports the vulnerability to have been fixed with session cookies now
set to expire in 24 hours. This Net-Square advisory is avaiable at:
http://net-square.com/advisory/NS-310107-ORKUT.pdf

However, attacks are still possible before the expiry of the cookies as
described in the previous section. A more secure solution is described
in the next section.

Solutions:-
1. The session associated with 'orkut_state' cookie must expire at the
   server side when the user logs out.
2. The session associated with 'orkut_state' cookie must be disabled
   temporarily when a user fails authentication during a session. The
   session should be enabled only after the user successfully
   authenticates himself.

Prevention:-
1. A user logged into Orkut should not run any untrusted JavaScript or
   program to prevent the cookie from being stolen.
2. On a shared system, the user must log out of Orkut by clicking the
   "Logout" link. This would delete the session cookies at the browser
   and another user can not read the cookie value from the browser.
   Alternatively, the cookie can be removed from the browser.

Disclaimer:-
This document is published with the hope that it will be useful, but
without any warranty; without even the implied warranty of
merchantability or fitness for a particular purpose. The information in
this advisory should be used for education, research, experimentation,
bug-fixes and patch-releases only. The authors shall not be liable in
any event of any damages, incidental or consequential, in connection
with, or arising out of this advisory.

Contact Information:-
1. Susam Pal
   susam@susam.in
   http://susam.in/

2. Vipul Agarwal
   vipul@nuttygeeks.com
   http://www.ang-productions.com/