Yahoo, LinkedIn, Twitter Accounts Vulnerable to Session Fixation Attacks

Security researcher shows how accounts can be hijacked

By on March 22nd, 2013 09:29 GMT

Security researcher Rishi Narang has identified a vulnerability that could be exploited by cybercriminals to hijack accounts belonging to Microsoft, Twitter, LinkedIn and Yahoo users. Google and Facebook customers are not impacted by the flaw.

According to the expert, the vulnerability, which can be leveraged to launch session fixation attacks, is caused by an issue with the management of cookies and sessions.

If an attacker can intercept authentication cookies, he can use them to hijack the account because although an expiry date is set, they’re still valid even after the customer logs out.

“The cookie/session ID for an authenticated session is available even after the session has been terminated. There are examples where cookies can be accessible to hijack authenticated sessions,” Narang explained.

“And these cookies are days (sometimes months) old. As a result, someone can successfully access accounts that belong to individuals from different global locations. Even if they would have logged-in/logged out many a times, theirs cookie would still be valid.”

Additional technical details of the vulnerabilities are available on the researcher’s blog.

Comments