Orkut Server Side Session Management Error The most recent version of this document is available at:- http://susam.in/security/advisory-2007-06-22.txt Authors:- Susam Pal, Vipul Agarwal Researchers:- Susam Pal, Vipul Agarwal, Gaurav Mogre Type:- Session management error Timeline:- 2007-06-21 - Discovered 2007-06-22 - Reported to vendor; public disclosure Summary:- The session associated with a user does not expire at the server side when a user logs out. It is not disabled when a user fails authentication during a session. This can be exploited by an attacker to hijack the session of a legitimate user even after a user has logged out or has been logged out due to a failed authentication during a session. Description of Normal Logout:- On a successful login, Orkut sets a client side session cookie called 'orkut_state' to keep track of sessions. When a user logs out, the client side cookie is deleted. Description of Unsuccessful Authentication During a Session:- When a user fails to authenticate himself during a session (say, while deleting a community), the user is redirected to a login page where he has to enter his password to re-authenticate himself. The user is not required to enter his user-name again. The user-name is already shown on the login page and the user is required to enter the password only. In this case, the client side cookie is not deleted in order to keep track of the user re-authenticating himself. Vulnerability:- Orkut fails to expire or disable the session associated with the 'orkut_state' cookie when the user logs out or fails to authenticate himself during a session. Impact:- 1. If an attacker manages to steal this cookie from another user, he can gain access to the compromised account even after the user has logged out since the session associated with it is still alive at the server side. 2. In case of unsuccessful authentication during a session, when the user finds himself logged out, if he leaves the browser unattended, a trespasser can login to his account simply by entering a valid URL for his account or clicking the 'Home' link. Previous Advisory:- Net-Square Solutions Pvt. Ltd. reported a similar issue to Google on 10 February, 2006 and released an advisory on 31 January, 2007 which reports the vulnerability to have been fixed with session cookies now set to expire in 24 hours. This Net-Square advisory is available at: http://net-square.com/advisory/NS-310107-ORKUT.pdf However, attacks are still possible before the expiry of the cookies as described in the previous section. A more secure solution is described in the next section. Solutions:- 1. The session associated with 'orkut_state' cookie must expire at the server side when the user logs out. 2. The session associated with 'orkut_state' cookie must be disabled temporarily when a user fails authentication during a session. The session should be enabled only after the user successfully authenticates himself. Prevention:- 1. A user logged into Orkut should not run any untrusted JavaScript code,program etc. or click on any suspicious link to prevent the cookie from being stolen. 2. On a shared system, the user must log out of Orkut by clicking the "Logout" link. This would delete the session cookies at the browser and another user can not read the cookie value from the browser. Alternatively, the cookie can be removed from the browser. Disclaimer:- This document is published with the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. The information in this document should be used for education, research, experimentation, bug-fixes and patch-releases only. The authors shall not be liable in any event of any damages, incidental or consequential, in connection with, or arising out of this document. Initial Release Published:- http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html News:- http://www.xssed.com/news/32/Orkut_vulnerable_to_2_user_authentication_issues/ http://www.got-news.org/view/id/87166/Orkut_Article_Defaced Related URLs:- http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064649.html (Orkut session remains alive for 14 days after logout.) Revision History:- 2007-06-22 - Initial release 2007-06-23 - Updated 'Prevention' section with 'suspicious link' 2007-06-26 - Added 'Summary' section; formatted document 2007-06-27 - Added 'Initial Release Published' and 'News' sections 2007-08-02 - Added 'Related URLs' sections Contact Information:- 1. Susam Pal susam@susam.in http://susam.in/ 2. Vipul Agarwal vipul@nuttygeeks.com http://www.ang-productions.com/