On June 22, 2007 I posted a full-disclosure regarding an Orkut session management issue. A week later, on June 29, 2007 I posted another full-disclosure regarding a similar issue in Google. The cause of both the issues are same. The session associated with an Orkut user does not expire even after the user logs out which is a bad design from a security perspective.

A couple of days later, on the basis of these posts, a live demonstration of Orkut session hijacking was posted in the same mailing list. The results of the experiment experiment were shared yesterday. It confirmed that an Orkut session remains alive for at least 7 days after the user has logged out.

The issue is not a critical one at the moment because it requires stealing the cookies. If a cross-site scripting (XSS) flaw is disclosed before this flaw is fixed, it can cause a great deal of mayhem because attackers can then use the XSS flaw to steal the session cookies. Once they have the session cookies, they can misuse the compromised account even after the user has logged out as a result of this issue.

Let us hope this gets fixed soon.

Update: July 15, 2007: The live demonstration of Orkut session hijacking confirmed that an Orkut session remains alive for 14 days after the user has logged out.

No comments

Post a comment

RSS