IRCCloud: iOS application does not destroy session upon logout.

ID H1:7041
Type hackerone
Reporter uname
Modified 2014-05-22T22:46:40


After a user logs out of the iOS application, the server should be destroying the user's session. However, this is not occurring in the iOS application.

When the log out request is made, the following request and response is sent and received from the server:


POST /apn-unregister HTTP/1.1 Host: Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Cookie: session=1.eaf395c450d6ad52023804d9846b7376 Accept-Language: en-us Accept: / Content-Length: 117 Connection: keep-alive User-Agent: IRCCloud/1.8 (iPhone; en; iPhone OS 6.1.6)




HTTP/1.1 200 OK X-Frame-Options: SAMEORIGIN X-UA-Compatible: chrome=1 Strict-Transport-Security: max-age=31536000 server: Cowboy date: Fri, 11 Apr 2014 05:29:54 GMT content-length: 28 content-type: application/javascript


The session identifer "1.eaf395c450d6ad52023804d9846b7376" is not destroyed and can be re-used over an over again. If this cookie is captured or leaked, an attacker would have persistent access to a victim's account.