14 DAY TRIAL // Both Hotmail and Outlook.com email services are vulnerable to session fixation attacks that could allow cybercriminals to get full control of an account due to what seems to be an issue affecting the management of cookies and sessions.
Security guru Rishi Narang wrote on his blog that Microsoft’s emails platforms, along with Twitter, Yahoo and LinkedIn accounts, are all vulnerable to this flaw that could be quickly exploited even by someone without too much hacking experience.
“Microsoft mail services are vulnerable to this session management flaw. Apart from your regular MSN/Live email accounts, you can also move your corporate accounts on outlook exchange mail service. Thus, it also affects your Microsoft hosted corporate accounts. Now, the problem with outlook/live is that it authenticates the old session cookies even if the user has logged out from the session,” Narang explained.
Basically, the security expert says that an attacker could steal someone’s authentication cookie once he signs in the account, as all cookies are still stored on the server, even though they’re removed from the browser.
The same issues have been spotted in all aforementioned services and could be exploited to gain access to a specific account even though the authentication cookies expire at the end of session.
“So what just happened? How the old cookie is still being validated at the server end? The cookie expires at the end of session, gets deleted from the browser but what about the server? Why the server maintains the authentication cookie and for how long will this be valid? No idea but scary,” the expert writes.
“These cookies are days (sometimes months) old. As a result, someone can successfully access accounts that belong to individuals from different global locations. Even if they would have logged-in/logged out many a times, theirs cookie would still be valid.”
Microsoft is yet to issue a statement on this new report, but we’ve contacted the Redmondians and we will update the article when and if we get an answer.