Live Demo of Orkut Session Hijacking

By Susam Pal on 09 Jul 2007

On 22 June 2007, I posted a full-disclosure regarding an Orkut session management issue. A week later, on 29 June 2007, I posted another full-disclosure regarding a similar Google session management issue. The cause of both the issues are same. The session associated with a user is not invalidated at the server-side even after the user logs out. This is a security flaw.

A couple of days later, on the basis of these posts, a live demonstration of Orkut session hijacking was posted by another member of the same mailing list. A week later, interim results were published that showed that Orkut sessions remain alive for at least 7 days even after the user logs out. Another week later, final results were published that showed that Orkut sessions remain alive for 14 days even after the user logs out.

This issue by itself is not critical because a successful exploit requires the attacker to steal the session cookie of a victim before the victim's session can be hijacked. However this is still a moderately serious flaw because if the attacker manages to steal the session cookie of a victim, say by finding a cross-scripting (XSS) flaw before this flaw is fixed or by any other means, then there is no way for the victim to terminate the session due to this flaw. Normally, if a victim suspects that his/her session is hijacked he/she can invalidate the session cookie by simply logging out of his/her own session which would terminate the session both for the victim and the attacker. However due to this flaw, the session cookie remains valid even after the victim logs out and the attacker can continue to use the victim's session for a period of 14 days.