Recently, there was a vulnerability discovered in LinkedIn, which is
described here http://www.wtfuzz.com/blogs/linkedin-ssl-cookie-vulnerability/
Basically, this allows someone in network to sniff a cookie value and
apply it in his browses session to hijack the target's user session.
This simple concept even works even in Facebook. I was able to hijack
n number of user's session sitting in my university room in few
minutes.
For every POST request in facebook, similar cookie string is transmitted:
Cookie: datr=09bXXXQ2oOgQuUK0yAzK_JU9; lu=wgj9pmpkAsdXXXTp5vthfh2w;
locale=en_US; L=2; act=13078123502562F3; c_user=xxxxxx;
sct=1123416461; xs=603Afe43db8a71239bd8d7b2a831xxx6241f;
presence=EM307818375L26REp_5f123422481F22X3078XXX1367K1H0V0Z21G307818375PEuoFD769839560FDexpF1307818409174EflF_5b_5dEolF-1CCCC;
e=n
I was able to hijack the remote user's session by just placing the
value of 2 cookies: c_user (which is obviously user id) and xs (seems
like auth token) in my browser session.
Step by step POC:
http://madhur.github.com/blog/2011/06/12/facebooksessionhijacking.html
Cookie: datr=09bXXXQ2oOgQuUK0yAzK_JU9; lu=wgj9pmpkAsdXXXTp5vthfh2w;
locale=en_US; L=2; act=13078123502562F3; c_user=xxxxxx;
sct=1123416461; xs=603Afe43db8a71239bd8d7b2a831xxx6241f;
presence=EM307818375L26REp_5f123422481F22X3078XXX1367K1H0V0Z21G307818375PEuoFD769839560FDexpF1307818409174EflF_5b_5dEolF-1CCCC;
e=n
Is this how it works in all social sites ?
If the answer is yes, I will be highly doubtful of using internet at
any public place where sniffing or MITM attack is relatively simple to
make.
Are there any measures to prevent it ?
Madhur
http://madhur.github.com
