Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Orkut Vulnerable to Authentication Issues ( 1

tomcataxis writes: Susam Pal and Vipul Agarwal have published a security advisory on full-disclosure about two session management vulnerabilties that affect Orkut. The two issues described in the advisory are:
  • A user's session remains alive at the server side even after he has logged out of Orkut. An attacker can take advantage of this to hijack a user's session.
  • While performing some important activities, like deleting a community, the application might ask the user to re-authenticate himself with his password before proceeding. If the user enters the wrong password, the user is logged out but the session cookies as well as the session are alive at the client side as well as the server side. This can be exploited by an attacker to hijack a user's session and misuse his account.
The authors of the advisory have suggested solutions to these issues in the published security advisory. They have also warned the users not to run any untrusted JavaScript code, program, etc. and log out of Orkut by clicking the "Logout" link only.


Submission + - Orkut is vulnerable to Session Hijacking 1

Jose Christie writes: "On December 12, 2006 Orkut fixed a cross site scripting (XSS) flaw, that allowed attackers to steal sensitive details from another user, in their site. On June 22, 2007 a session management security flaw was disclosed by three Indian researchers on full-disclosure. Fortunately the session management flaw was disclosed long after the XSS flaw was fixed. Both the flaws present together in a site can lead to hijacking of thousands of accounts with a little effort by the attackers. Since the XSS flaw has been fixed, now the attackers have to work harder to achieve the same.

Susam Pal, Vipul Agarwal and Gaurav Mogre have released a security advisory with a detailed explanation of their research on the security issue. The advisory suggests that an attacker can hijack someone's Orkut account even after a user has logged out of Orkut securely. Usually logging out ensures that the account is closed and it is not accessible to anyone. However, due to a session management error in Orkut, the session doesn't expire at the server side. The session remains alive for the next 24 hours. All an attacker needs is a valid session cookie of the user to hijack this active session.

An attacker can steal the session cookie of a user by means of social engineering, phishing attacks, etc. This is difficult to perform if the user is careful and follows the best practices of security. Had there been an XSS flaw along with this security problem, it would have been a cakewalk to steal the session cookie. Once the attacker retrieves the session cookie, he can set it in his browser and access the Orkut website. The session cookie acts as the identity of a user to the web server. So, the Orkut server believes him to be the user whose account was compromised. Thus the server logs the attacker into the compromised account. The attacker can now do whatever the actual owner of the account can do.

The three researchers have outlined some guidelines that should be followed by all Orkut users to protect their accounts from getting hijacked. The advisory warns the users not to run any untrusted JavaScript code, program or suspicious link. On a shared system, the user must log out of Orkut by clicking the "Logout" link. This deletes the session cookie from the browser and eliminates the possibility of the cookie from being stolen by another user using the same system."

Submission + - Yet another security hole in Orkut 4

Louis Benette writes: Susam Pal, Vipul Agarwal and Gaurav Mogre have disclosed a session management problem on full-disclosure in which they claim that if an attacker can steal the Orkut session cookies from a user's browser, he can hijack and misuse the user's account. The problem turns out to be particularly serious because the attacker can misuse your account even after you have logged out of Orkut. Unfortunately, Orkut keeps your session alive for 24 hours even after you have logged out which can be taken advantage of by an attacker.

Earlier some XSS vulnerabilities were discovered in Orkut which allowed an attacker to steal your session cookies and Orkut preferences. On December 12, 2006 Orkut fixed these vulnerabilities. The users of Orkut have escaped narrowly from massive attacks because the session management problem was disclosed after the XSS vulnerabilities were fixed. If both types of vulnerabilities are present at the same time, then an attacker can exploit XSS flaw to steal cookies and hijack sessions by taking advantage of the session management problem. Within a span of 24 hours, hundreds and thousands of accounts can be hijacked. We are fortunate that such a threat of massive attacks doesn't exist right now. However, if an XSS flaw is discovered again and the session management problem is not fixed massive attacks can take place.

Orkut is not the only site that has to deal with such vulnerabilities. Such vulnerabilities have also been discovered in the leading social networking site, Myspace. One such vulnerability was exploited by Sammy worm to hijack several pages. There are hundreds of millions of users registered on such social networking sites. With such serious vulnerabilities being discovered time and again on these sites, we need to ponder over a disturbing question: Is it safe to create your online identities on social networking sites?

Submission + - Session Hijacking possible in Orkut due to a bug (

tomcataxis writes: "A security flaw in Orkut has been disclosed by Susam Pal, Vipul Agarwal and Gauav Mogre which can be exploited to hijack sessions. When a user logs out of Orkut, his session does not expire at the server side. So if an attacker manages to steal the session cookie from another user, he can gain access to the compromised account even after the user has logged out. Cookies can be stolen by persuading users to click on malicious links or run malicious javascript code. The three researchers suggest the users to take the following precautions to protect their accounts from the attackers. 1. One should not run any untrusted JavaScript, program, etc. 2. On a shared system, the user must log out of Orkut by clicking the "Logout" link. This would delete the session cookies at the browser."

Submission + - Session Management Security Hole in Orkut (

tomcataxis writes: You login to Orkut and network with your friends everyday and then you finally log out. But do you really log out? What does logging out mean? Logging out means you have closed your account. Your account is accessible to none, not even to you unless you authenticate yourself with your username and password once again. Apparently logging out has a different meaning for Orkut. When you log out of Orkut, not only can you use your account without authenticating yourself but attackers and the bad guys can also use your account without even knowing your user name and password. Yes! That's true! They don't need your user name to hijack your account. Then what do they need? 3 Indian hackers Susam Pal, Vipul Agarwal and Gaurav Mogre have disclosed a security hole in Orkut that can be exploited to compromise an account if certain Orkut cookies are stolen and the account can be used even after the owner of the account has logged out.

The following are the steps to protect yourself.

1. A user logged into Orkut should not run any untrusted JavaScript,
      program, etc. or click on any suspicious link to prevent the cookie
      from being stolen.
2. On a shared system, the user must log out of Orkut by clicking the
      "Logout" link. This would delete the session cookies at the browser
      and another user can not read the cookie value from the browser.
      Alternatively, the cookie can be removed from the browser.

Click the title above to read the complete report.

Slashdot Top Deals

"Card readers? We don't need no stinking card readers." -- Peter da Silva (at the National Academy of Sciencies, 1965, in a particularly vivid fantasy)