Orkut Server Side Session Management Error The most recent version of this document is available at:- http://susam.in/security/advisory-2007-06-22.txt Release date:- 22 June, 2007 Type:- Session management error Authors:- Susam Pal, Vipul Agarwal Researchers:- Susam Pal, Vipul Agarwal, Gaurav Mogre (Gaurav's input is present in this advisory even though he could not play a role in writing this advisory.) Description of normal logout:- On a successful login, Orkut sets a client side session cookie called 'orkut_state' to keep track of sessions. When a user logs out, the client side cookie is deleted. Description of unsuccessful authentication during a session:- When a user fails to authenticate himself during a session (say, while deleting a community), the user is redirected to a login page where he has to enter his password to reauthenticate himself. The user is not required to enter his user-name again. The user-name is already shown on the login page and the user is required to enter the password only. In this case, the client side cookie is not deleted in order to keep track of the user re-authenticating himself. Vulnerability:- Orkut fails to expire or disable the session associated with the 'orkut_state' cookie when the user logs out or fails to authenticate himself during a session. Impact:- 1. If an attacker manages to steal this cookie from another user, he can gain access to the compromised account even after the user has logged out since the session associated with it is still alive at the server side. 2. In case of unsuccessful authentication during a session, when the user finds himself logged out, if he leaves the browser unattended, a trespasser can login to his account simply by entering a valid URL for his account or clicking the 'Home' link. Previous advisory:- Net-Square Solutions Pvt. Ltd. reported a similar issue to Google on 10 February, 2006 and released an advisory on 31 January, 2007 which reports the vulnerability to have been fixed with session cookies now set to expire in 24 hours. This Net-Square advisory is avaiable at: http://net-square.com/advisory/NS-310107-ORKUT.pdf However, attacks are still possible before the expiry of the cookies as described in the previous section. A more secure solution is described in the next section. Solutions:- 1. The session associated with 'orkut_state' cookie must expire at the server side when the user logs out. 2. The session associated with 'orkut_state' cookie must be disabled temporarily when a user fails authentication during a session. The session should be enabled only after the user successfully authenticates himself. Prevention:- 1. A user logged into Orkut should not run any untrusted JavaScript or program to prevent the cookie from being stolen. 2. On a shared system, the user must log out of Orkut by clicking the "Logout" link. This would delete the session cookies at the browser and another user can not read the cookie value from the browser. Alternatively, the cookie can be removed from the browser. Disclaimer:- This document is published with the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. The information in this advisory should be used for education, research, experimentation, bug-fixes and patch-releases only. The authors shall not be liable in any event of any damages, incidental or consequential, in connection with, or arising out of this advisory. Contact Information:- 1. Susam Pal susam@susam.in http://susam.in/ 2. Vipul Agarwal vipul@nuttygeeks.com http://www.ang-productions.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/