my firnd got my session cookie a day before yesterdy..<br>is there any method i can stop him by using my orkut account?<br><br><div><span class="gmail_quote">On 7/10/07, <b class="gmail_sendername">Deežąn Chakravarth’</b> <
<a href="mailto:codeshepherd@gmail.com">codeshepherd@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Joseph Hick wrote:
<br>> If you sign into <a href="http://orkut.com">orkut.com</a> then enter orkut in the<br>> filter box then you will see some orkut cookies. Look<br>> for orkut_state in <a href="http://www.orkut.com">www.orkut.com
</a> site.<br>><br>> It will work if you are logged in. if you log out<br>> orkut_state cookie disappears but the session remains<br>> active in <a href="http://orkut.com">orkut.com</a> server. So a big problem is
<br>> happening in orkut. when attackers stole some cookies<br>> using XSS attacks earlier they were misusing the<br>> accounts after owner of account logged out. This<br>> problem is happening because after owner of account
<br>> logged out the session remained active.<br>><br>> In other sites like yahoo this is not possible because<br>> the session deactivates in the server after owner of<br>> account logs out.<br>><br>>
<br>Hi Joseph,<br> Thanks, I was looking for the cookie after logging off.<br>Thanks<br>Deepan<br>> --- Deežąn Chakravarth’ <<a href="mailto:codeshepherd@gmail.com">codeshepherd@gmail.com</a>><br>> wrote:<br>
><br>>> It works great. But I am not able to find a similar<br>>> cookie for my account.<br>>> Am I missing something ?<br>>><br>>> Thanks<br>>> Deepan<br>>><br>>><br>>
<br>><br>><br>>> Joseph Hick wrote:<br>>><br>>>> This is the interim result of a proof of concept<br>>>><br>>> for<br>>><br>>>> Google Authentication issues posted in the
<br>>>><br>>> threads...<br>>><br>>>> 1.)<br>>>><br>>>><br>> <a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html">http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064143.html
</a><br>><br>>>> (Orkut Server Side Management Error by Susam Pal &<br>>>> Vipul Agarwal)<br>>>><br>>>> 2.)<br>>>><br>>>><br>> <a href="http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html">
http://lists.grok.org.uk/pipermail/full-disclosure/2007-June/064300.html</a><br>><br>>>> (Google Re-authentication Bypass by Susam Pal)<br>>>><br>>>> A session was created in Orkut at about Sat Jun 30
<br>>>> 20:30 UTC 2007. Between June 30 and now many have<br>>>> hijacked this session and logged out many times<br>>>><br>>> but<br>>><br>>>> the session is alive today as verified on Sun Jul
<br>>>><br>>> 8 at<br>>><br>>>> 09:43:10 UTC 2007. The cookie for this PoC session<br>>>><br>>> is<br>>><br>>>> ...<br>>>><br>>>> Name: orkut_state
<br>>>> Cookie:<br>>>><br>>>><br>> ORKUTPREF=ID=11190574376736842125:INF=0:SET=111236436:LNG=1:CNT=0:RM=0:USR=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:PHS=:TS=1183210062:LCL=en-US:NET=1:TOS=1:GC=DQAAAIMAAAArC-mJYqsrCOnv8uVQHdFUccRFQX8-ibRerEzrie5sOWNc06zs4z4fMNpovLUyRcNXHwxk8WzY6Z6SmvxcSmL1hAW4Mrdvazzkssq5VjSO70oE1HSFR4KOkSb3ZLg-U7k0x8c7ZuLHwu_qY2Umy8oobckg9UctWXYd1qoerXUTzsFSuLNXHdiAEVCSw7fUO00:PE=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:GTI=0:GID=aGlqYWNrbWVwbGVhc2VAZ29vZ2xlbWFpbC5jb20=:VER=2:S=1Ah7VcA0JetHQ0Mgyfp4Jb6meXw=:
<br>><br>>>> Domain: .www.orkut.com<br>>>> Path: /<br>>>> Send for: Any type of session<br>>>> Expires: Expire at end of session<br>>>><br>>>> This proves that the session remains alive for at
<br>>>> least 7 days after logging out. Steps to verify<br>>>> this...<br>>>><br>>>> 1.) Open Firefox, etc. which allows cookie<br>>>><br>>> editing.<br>>><br>>>> This extension is required...
<br>>>> <a href="https://addons.mozilla.org/en-US/firefox/addon/573">https://addons.mozilla.org/en-US/firefox/addon/573</a><br>>>><br>>>> 2.) Set the given cookie.<br>>>><br>>>> 3.) Try to visit
<a href="http://www.orkut.com/Home.aspx">http://www.orkut.com/Home.aspx</a><br>>>><br>>>> 4.) You will be automatically logged in with my<br>>>> account. It will not ask for any user-name or<br>
>>> password.<br>>>><br>>>> 5.) Logout<br>>>><br>>>> 6.) Repeat steps 1. to 4. You can log in again.<br>>>><br>>>> I want to see how long this session remains alive
<br>>>> after multiple logout. If you try this POC leave a<br>>>> message in the scrapbook of the account here ...<br>>>> <a href="http://www.orkut.com/Scrapbook.aspx">http://www.orkut.com/Scrapbook.aspx
</a><br>>>><br>>>> Thanks<br>>>> Joseph<br>>>><br>>>><br>>>><br>><br>><br>><br>><br>><br>><br>> ____________________________________________________________________________________
<br>> Get the free Yahoo! toolbar and rest assured with the added security of spyware protection.<br>> <a href="http://new.toolbar.yahoo.com/toolbar/features/norton/index.php">http://new.toolbar.yahoo.com/toolbar/features/norton/index.php
</a><br>><br>><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>