Skip Links

Hijacking Office 365 and other major services via cookie re-use flaw

Ethical hacking teacher Sam Bowne tested to see if an old cookie re-use bug would allow Office 365 to be hijacked; it did and using stolen cookies also works for Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress.

By Ms. Smith on Tue, 07/16/13 - 10:52am.

When is logging off the opposite of security? One example would be Office 365, since logging off blocks the authorized user, but not the attacker. Microsoft's Office 365 isn't the only offender, as ethical hacking professor Sam Bowne pointed out after testing cookie-reuse on major websites. Bowne, a computer networking and information technology teacher at City College San Francisco, has so far found seven major websites—Office 365, Yahoo mail, Twitter, LinkedIn, Amazon, eBay, WordPress—that have all failed this security test.Ethical hacking teacher Sam Bowne discovered 7 major web services allow cookie re-use

Microsoft has known that accounts can be hijacked since at least 2012 when The Hacker News reported the Hotmail and Outlook cookie-handling vulnerability. But Microsoft Security Response Center blew them off and closed the security investigation ticket. MSRC called it a "known issue" that would be addressed in an "upcoming release," before adding that Live services transfer auth cookies over HTTPS so an account password could not be changed with re-authentication. As the security researchers pointed out, why would you need to change the password when you have access to all the emails?

Unlike Outlook.com and Hotmail, Office 365 is not free; paying consumers should expect better security. Granted, the circumstances for success would have to be just right, but what if an attacker, be it a nation state or business competitor, were to exploit this issue for espionage on an enterprise level?

Microsoft Office 365

Bowne was curious if Microsoft closed the hole or if stolen cookies could still be re-used. He "easily reproduced it using Chrome and the Edit This Cookie extension" and then explained the steps.

After installing the add-on, log into Office 365 and then bookmark that URL.

Click the cookie icon, then click "Export cookies" and you will see the message "Cookies copied to clipboard" such as in Bowne's screenshot below. (You may want to save info in Notepad.)

Cookie Re-Use in Office 365, how to hijack Office 365 account

Log out. If you click the bookmark you just added, your emails don't show up and you will be redirected to the login page.

Click the cookie icon again and then select "Import Cookies." Paste the cookies that were copied to the clipboard, or pasted in Notepad, and click the "submit cookie changes" button. You can easily follow Bowne's tutorial with helpful screenshots. He did wisely redact a portion of his pasted Office 365 cookies, "since anyone with this data can apparently get into my Office 365 account."

Re-use cookies to hijack Office 365 accounts

Lastly, click the Office 365 bookmark you added, and voilà you are in.

Why is this important? Bowne wrote:

There are many ways of stealing cookies; XSS, malware, or just stealing your phone. And the person with the cookie can still use your account after you log off. So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking the attacker.

Why doesn't logging off cancel the cookie? That is obviously the intent of the user who clicks it.

This seems like a bug to me.

He then pointed out that Microsoft knows about and blew off this "known issue" for hijacking accounts when The Hacker News reported it in December 2012.

Other major players with the same vulnerability are Yahoo mail, Twitter, LinkedIn, Amazon, eBay, and WordPress. Both Amazon and eBay can be tied directly to your money via the method of payment you have on record. That can't be a good thing. So thinking of another major site where millions of people have payment for services tied to their account, I decided to test Netflix.

Hijack Netflix, cookie re-use flaw

Import Netflix cookies then submit

Using Bowne's example, I signed into Netflix, favorited the page, exported cookies, logged out, opened fav bookmark that showed me as "signed out," imported cookies and ta-da! I was logged back in.

The good news is that Gmail, Tweetdeck, Facebook and Craigslist deny cookie re-use.

Bowne asked people to test more services and tweet the results to him @sambowne.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic