This Friday I was working with my co-security researcher "Christy Philip Mathew" in +The Hacker News Lab for testing the Cookie Handling Vulnerabilities in the most famous email services i.e Hotmail and Outlook. Well, both are merged now and part of the same parent company - Microsoft, the software giant.
There are different way of stealing cookies, that we will discuss below. In May 2012, another Indian security researcher Rishi Narang claimed similar vulnerability in Linkedin website.
But in case of Hotmail and Outlook -- even after logout, one can use same cookies again and again to authenticated the session without requirement of the account password.
Proof of Concept
To Demonstrate this flaw, first of all readers should know about cookie importing and Exporting. A serious technical step ? No ,you just need a Firefox addon called 'cookie-importer' (download) for importing and 'Cookie Exporter' (download) for exporting cookies in browser.
Step one, login to your Hotmail OR Outlook email account, and go to cookie-exporter and save the file in your system, then logout your account (as shown below)
Step 2, Open another browser or any other system, where you should have cookie-importer to import cookies. Select the file exported in last step and import it.
Step 3, Once imported, just open outlook.com or hotmail.com in your browser on 2nd system and you can check that, the victim's account will login automatically, using same cookies.
Working Live Example for Readers
For a live working demo for our readers, we have created an account on outlook.com , where email is email@example.com and password is .....? Nahh you don't that !
We have export cookies of our account in a text file and readers can download cookies.txt file 'Here' (Update - now removed from server, please test at your system). Once you (attacker) have cookies, just open your browser and import cookies using add-on as shown in above steps and after that visit outlook.com. 'let me know via comments on this post' what you have !
Why researcher choose Public disclosure ?
Being a responsible Security News media 'The Hacker News' always suggest hackers and researchers to first report only to the vendor about each possible vulnerability. Christy had reported to the Microsoft Security Team and received the following response
Microsoft Security Team close the ticket just by saying that, cookies are transferred over HTTPS in encrypted manner and password of the account can not be changed without re-authentication . They accepted that this flaw is not any serious vulnerability, so Christy choose Public disclosure.
Either Microsoft team didn't understand the impact factor or they don't want to ? Why one need to change the password, if he can access mails, can delete, send, backup with just cookies!
Possible Implementations of Account Hijacking
At the end, most important part, how to steal cookies ? A cookie is usually a small piece of data sent from a website and stored in a user's web browser. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.
There are various ways, attacker can steal cookies depending upon various factors:
1.) Having physical access to victim's system (Success Rate - 100%): As shown above, if the attacker can get the physical access to the victim's system, one can easily export cookies of logged-in account to a text file and then can take it to another system for hacking purpose.
If one have physical access, he can do many more things, then why just stealing cookies ? Because once attacker has the cookies, he can reuse it again and again that for re-authentication , even after victim logout the session from his end any number of times. So, no change that victom's will ever come to know thar his account is compromised.
2.) Victim and Attacker are in same Network *(Success Rate - 50%)*: If attacker and victim are using same lan/wifi network, Man-in-the-middle attack can do this sort of thing using SSL strip like tools.
One of the best and portable tool for performing session / cookies hijacking overs HTTPS is possible via an Android penetration testing application called "dSploit" , having option "Session Hijacker" in that. There are lots of similar tools available for this purpose.
3.) Cross site scripting in Hotmail and Outlook * *(Success Rate - 100% if xss exist): Internet giant companies like Google, Paypal, Facebook pay thousands of dollars as bug bounty for Cross site scripting because these vulnerabilities can be used to steal user's cookies for account hijacking.
So if someone found XSS vulnerability in Hotmail or Outlook in future, he will be able to steal cookies by crafting malicious links. In this method, the combination of cross site scripting vulnerability and Cookie Handling Vulnerability will lead to account hijacking of Hotmail and Outlook accounts.
For example, Just a few days back, an unknown hacker was selling an exploit in $700 that allows individuals to hijack a Yahoo! email account, in that case hacker was using a cross site scripting in one of the domain of Yahoo website.
4.) Malwares and Stealer *(Success Rate - 100%)*: Victim PC can be in hacked using a Auto Cookie stealing Malware (that is currently under beta testing in by the team) or any RAT tool can allow attacker to get your cookies remotely.
Vulnerability Discovered - 11 Nov 2012
Vulnerability Reported - 11 Nov 2012
Reply from vendor - 12 Dec 2012
Vulnerability Public Disclosure - 14 Dec 2012
We hope, Microsoft will take the issue seriously as soon as possible to fix the issue!