Executive Summary

Summary
Title Web sites may transmit authentication tokens unencrypted
Informations
Name VU#466433 First vendor Publication 2007-09-07
Vendor VU-CERT Last vendor Modification 2007-10-03
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#466433

Web sites may transmit authentication tokens unencrypted

Overview

Web services that rely on cookies for authentication may be vulnerable to an authentication bypass vulnerability.

Some web sites transmit authentication material (often cookies) without encrypting the entire session, even when the authentication material is initially set over an encrypted HTTP session. This behavior could allow an attacker on the network path to obtain authentication material and impersonate a legitimate user. Sites that set authentication cookies over https during login and then later transmit the cookies over HTTP are particularly vulnerable, since users are more likely to think that the security of the login page applies to the entire session.

I. Description

HTTP cookies are text that is sent to a client web browser from a server. Cookies are transmitted back to the server from the client's browser when the client accesses the web site.

Some web sites may authenticate users with a username and password, create a cookie with a unique identifier (a shared secret), then answer future authentication requests with the cookie. To increase security, the web site may delete the cookie when the user logs out, enable the optional "Secure" attribute for the "Set-Cookie" response header, or have the cookie to expire after a specific date. Web browser toolbars or extensions may also send authentication credentials (cookies) to web sites or services.

Web sites that use cookies for authentication over plain text protocols like HTTP are vulnerable to an authentication bypass vulnerability, even if the initial login credentials are sent to the server using an encrypted protocol. If an attacker can intercept traffic that contains the cookie, the attacker may be able to replicate or replay the cookie that is being used as authentication credentials. In particular, sites that provide "software as a service" are often affected by this type vulnerability.

Null encryption is a valid option when using HTTPS according to the original SSL specifications. We are unaware of any vendors that implement the HTTPS protocol that do not use encryption.

II. Impact

A remote unauthenticated attacker who can intercept traffic that is destined to an affected web site may be able to take any action on the web site that the legitimate user can.

III. Solution

There are a number of options that can mitigate this type of vulnerability. Please see the Workarounds and Systems Affected sections of this document for more information, including information about specific vendors.

Workarounds for users

  • Accessing the web site using encrypted HTTPS may mitigate this vulnerability. Note that the entire session, not just the initial username and password, will need to be encrypted . For this workaround to be completely effective, the secure attribute must be set on the cookie.
  • Logging off from the web service may reduce the amount of time an attacker has to obtain credentials and exploit unprotected services.
  • Users who can encrypt sensitive data locally by using PGP or GnuPG, password protected ZIP files, or other types of encryption before storing it on a web site may be able restrict what information an attacker can obtain by exploiting this vulnerability. Note that this workaround may not be feasible for all services offered by all vendors.
  • Evaluate the risks of accessing vulnerable sites before using the services while connected to untrusted networks.
Workarounds for vendors
  • Provide the ability for users to access the site using HTTPS, or at a minimum only transmit authentication credentials over HTTPS. For this workaround to be completely effective, the secure attribute must be set on the cookie. See section 4.2.2 of RFC 2109 for more details.

Systems Affected

VendorStatusDate Updated
Box.netVulnerable23-Sep-2007
eBayUnknown6-Sep-2007
GoogleVulnerable1-Sep-2007
Microsoft CorporationVulnerable6-Sep-2007
MySpace.comUnknown5-Sep-2007
salesforce.comNot Vulnerable12-Sep-2007
Yahoo, Inc.Vulnerable1-Sep-2007
ZohoVulnerable23-Sep-2007

References

http://www.kb.cert.org/vuls/id/546483
http://www.cert.org/homeusers/HomeComputerSecurity/#9
http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster.html
http://www.securityfocus.com/archive/1/475658/30/0/threaded
http://blogs.zdnet.com/Ou/?p=651
http://blog.wired.com/monkeybites/2007/08/black-hat-repor.html
http://tools.ietf.org/html/rfc2109
http://wp.netscape.com/eng/ssl3/draft302.txt
http://msdn2.microsoft.com/en-us/library/Bb250503.aspx
http://kb.mozillazine.org/Cannot_connect_securely_because_the_site_uses_an_older_insecure_version_of_the_SSL_protocol
http://lifehacker.com/software/email-apps/secure-webbased-email-recap-032749.php
http://jvn.jp/cert/JVNVU%23466433/index.html

Credit

Information about this vulnerability was released by Erratasec.

This document was written by Ryan Giobbi and Dean Reges.

Other Information

Date Public09/07/2007
Date First Published09/07/2007 01:18:44 PM
Date Last Updated10/03/2007
CERT Advisory 
CVE Name 
Metric2.25
Document Revision98

Original Source

Url : http://www.kb.cert.org/vuls/id/466433