Hijacking Office 365 and other major services via cookie re-use flaw

When is logging off the opposite of security? One example would be Office 365, since logging off blocks the authorized user, but not the attacker. Microsoft’s Office 365 isn’t the only offender, as ethical hacking professor Sam Bowne pointed out after testing cookie-reuse on major websites. Bowne, a computer networking and information technology teacher at City College San Francisco, has so far found seven major websites—Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, WordPress—that have all failed this security test.

Microsoft has known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability. But Microsoft Security Response Center blew them off and closed the security investigation ticket. MSRC called it a “known issue” that would be addressed in an “upcoming release,” before adding that Live services transfer auth cookies over HTTPS so an account password could not be changed with re-authentication. As the security researchers pointed out, why would you need to change the password when you have access to all the emails?

Unlike Outlook.com and Hotmail, Office 365 is not free; paying consumers should expect better security. Granted, the circumstances for success would have to be just right, but what if an attacker, be it a nation state or business competitor, were to exploit this issue for espionage on an enterprise level?

Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He “easily reproduced it using Chrome and the Edit This Cookie extension” and then explained the steps.

After installing the add-on, log into Office 365 and then bookmark that URL.

Click the cookie icon, then click “Export cookies” and you will see the message “Cookies copied to clipboard” such as in Bowne’s screenshot below. (You may want to save info in Notepad.)

Log out. If you click the bookmark you just added, your emails don’t show up and you will be redirected to the login page.

Click the cookie icon again and then select “Import Cookies.” Paste the cookies that were copied to the clipboard, or pasted in Notepad, and click the “submit cookie changes” button. You can easily follow Bowne’s tutorial with helpful screenshots. He did wisely redact a portion of his pasted Office 365 cookies, “since anyone with this data can apparently get into my Office 365 account.”

Lastly, click the Office 365 bookmark you added, and voilà you are in.

Why is this important? Bowne wrote:

There are many ways of stealing cookies; XSS, malware, or just stealing your phone. And the person with the cookie can still use your account after you log off. So the “Log off” feature is the opposite of security–blocking the authorized user but not blocking the attacker.

Why doesn’t logging off cancel the cookie? That is obviously the intent of the user who clicks it.

This seems like a bug to me.

He then pointed out that Microsoft knows about and blew off this “known issue” for hijacking accounts when The Hacker News reported it in December 2012.

Other major players with the same vulnerability are Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. That can’t be a good thing. So thinking of another major site where millions of people have payment for services tied to their account, I decided to test Netflix.

Using Bowne’s example, I signed into Netflix, favorited the page, exported cookies, logged out, opened fav bookmark that showed me as “signed out,” imported cookies and ta-da! I was logged back in.

The good news is that Gmail, Tweetdeck, Facebook and Craigslist deny cookie re-use.

Bowne asked people to test more services and tweet the results to him @sambowne.

Like this? Here’s more posts:

• You might be a terrorist if…you complain about your tap water
• Microsoft joins ranks of those believing the government is conspiring against them
• Surveillance court ‘secret’ rulings slaughter Fourth Amendment to help NSA spy
• Govt’s $2.7 million KILL IT WITH FIRE approach to malware: Destroy all hardware
• How much privacy will you have with Microsoft’s ‘family of devices’?
• Hackers can wipe or steal data from security holes in 300,000 servers
• Hacking and attacking automated homes
• Former CIA, NSA director sounds off on PRISM, spying tools
• MSFT to developers: Fix Windows app security flaws in 180 days or be kicked from stores
• Microsoft Research: MoodScope, a context-aware smartphone to sense and share your mood

Follow me on Twitter @PrivacyFanatic