Question on Cookie Security

Hi Guys,

Through my studies it has been stated that an attacker who potentially had access to steal say your hotmail cookies (as an example) from your client when you forget to logout and the cookies remain in your temp files. And then use them on another PC and when accessing hotmail you would be able to logon to this persons account. Well I tested this very theory last night in a lab but I could not seem to get the results.

I have had experience in creating basic cookies before for small websites (using PHP & HTML), but I guess my lack of experience isnt giving me the heads up on this one. How would MS have designed these cookies? Are they more complex and is it not as easy as ive said above? If I had good programming knowledge could i get the results mentioned above?

I hope someone can give me some insight

Thanks!

Find more posts tagged with

Comments

dynamik

You tested logging into hotmail, or you created something custom and tried to hack your own app? I would assume that the one from hotmail would contain other information such as the IP, OS, Browser, etc. (as much unique/semi-unique information as possible), and obfuscate that somehow in order to prevent this type of attack.

Try creating your own login utility and hacking that and finding ways to secure that. Have you used PHP to create authenticated sessions before?

Pash

dynamik wrote:

You tested logging into hotmail, or you created something custom and tried to hack your own app? I would assume that the one from hotmail would contain other information such as the IP, OS, Browser, etc. (as much unique/semi-unique information as possible), and obfuscate that somehow in order to prevent this type of attack.

Try creating your own login utility and hacking that and finding ways to secure that. Have you used PHP to create authenticated sessions before?

Hi Dynamik,

It was a direct copy of all hotmail cookies from one exact like PC to another to see if i could compromise the account. I guess like you say there is some unique identifiers we can't see that stop this type of attack from happening.

Yes I have used PHP to create authenticated sessions before. Although this was maybe 5/6 years ago, I am sure im out of touch with security hardening in different languages right now.

Cheers,

ThePistonDoctor

As far as I know (and I'm far from an expert) - the cookies are parsed on the server and usually there is some sort of encryption algorithm in place. In other words, you can't just copy and paste the text from a cookie file into your own and call it the same thing and magically log in. There is encryption, hashing and many other factors involved. This doesn't answer your question in full but it might spring up some other responses that are more useful...

Pash

ThePistonDoctor wrote:

As far as I know (and I'm far from an expert) - the cookies are parsed on the server and usually there is some sort of encryption algorithm in place. In other words, you can't just copy and paste the text from a cookie file into your own and call it the same thing and magically log in. There is encryption, hashing and many other factors involved. This doesn't answer your question in full but it might spring up some other responses that are more useful...

Yeh I fully agree, there must be some kind of unique identifier created by an algorithm. Finding out what would be impossible though I guess unless I had developed it. I will try a much simpler login based cookies when I have time and try same method. See what I can come up with

Cheers,