search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Web sites may transmit authentication tokens unencrypted

Vulnerability Note VU#466433

Original Release Date: 2007-09-07 | Last Revised: 2009-04-13

Overview

Web services that rely on cookies for authentication may be vulnerable to an authentication bypass vulnerability.

Some web sites transmit authentication material (often cookies) without encrypting the entire session, even when the authentication material is initially set over an encrypted HTTP session. This behavior could allow an attacker on the network path to obtain authentication material and impersonate a legitimate user. Sites that set authentication cookies over https during login and then later transmit the cookies over HTTP are particularly vulnerable, since users are more likely to think that the security of the login page applies to the entire session.

Description

HTTP cookies are text that is sent to a client web browser from a server. Cookies are transmitted back to the server from the client's browser when the client accesses the web site.

Some web sites may authenticate users with a username and password, create a cookie with a unique identifier (a shared secret), then answer future authentication requests with the cookie. To increase security, the web site may delete the cookie when the user logs out, enable the optional "Secure" attribute for the "Set-Cookie" response header, or have the cookie to expire after a specific date. Web browser toolbars or extensions may also send authentication credentials (cookies) to web sites or services.

Web sites that use cookies for authentication over plain text protocols like HTTP are vulnerable to an authentication bypass vulnerability, even if the initial login credentials are sent to the server using an encrypted protocol. If an attacker can intercept traffic that contains the cookie, the attacker may be able to replicate or replay the cookie that is being used as authentication credentials. In particular, sites that provide "software as a service" are often affected by this type vulnerability.

Null encryption is a valid option when using HTTPS according to the original SSL specifications. We are unaware of any vendors that implement the HTTPS protocol that do not use encryption.

Impact

A remote unauthenticated attacker who can intercept traffic that is destined to an affected web site may be able to take any action on the web site that the legitimate user can.

Solution

There are a number of options that can mitigate this type of vulnerability. Please see the Workarounds and Systems Affected sections of this document for more information, including information about specific vendors.

Workarounds for users

    • Accessing the web site using encrypted HTTPS may mitigate this vulnerability. Note that the entire session, not just the initial username and password, will need to be encrypted . For this workaround to be completely effective, the secure attribute must be set on the cookie.
    • Logging off from the web service may reduce the amount of time an attacker has to obtain credentials and exploit unprotected services.
    • Users who can encrypt sensitive data locally by using PGP or GnuPG, password protected ZIP files, or other types of encryption before storing it on a web site may be able restrict what information an attacker can obtain by exploiting this vulnerability. Note that this workaround may not be feasible for all services offered by all vendors.
    • The NoScript Firefox extension may mitigate these types of vulnerabilities by forcing specified websites to use HTTPs and by setting the secure attribute on cookies used by those sites. See the NoScript faq for more information.
    • Evaluate the risks of accessing vulnerable sites before using the services while connected to untrusted networks.
Workarounds for vendors
    • Provide the ability for users to access the site using HTTPS, or at a minimum only transmit authentication credentials over HTTPS. For this workaround to be completely effective, the secure attribute must be set on the cookie. See section 4.2.2 of RFC 2109 for more details.

Vendor Information

466433
 
Affected   Unknown   Unaffected

Box.net

Notified:  September 21, 2007 Updated:  September 23, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google

Updated:  November 04, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Some Google services may be offered over encrypted https connections. See http://mail.google.com/support/bin/answer.py?answer=8155&topic=1560&security=1&ctx=security and https://mail.google.com/support/bin/answer.py?hl=en&answer=74765 for more information. Administrators of Google Apps for their domains may be able to require that their users connect via SSL connections.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Updated:  September 06, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

See http://lc1.law13.hotmail.passport.com/cgi-bin/dasp/ua_info.asp?pg=ssl&_lang=EN for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Yahoo, Inc.

Updated:  September 01, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

See http://security.yahoo.com/ for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Zoho

Notified:  September 21, 2007 Updated:  September 23, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

salesforce.com

Updated:  September 12, 2007

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

See https://na1.salesforce.com/help/doc/en/salesforce_security_cheatsheet.pdf for information on how to require that users connect via https.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MySpace.com

Notified:  September 05, 2007 Updated:  September 05, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eBay

Notified:  September 06, 2007 Updated:  September 06, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Information about this vulnerability was released by Erratasec.

This document was written by Ryan Giobbi and Dean Reges.

Other Information

CVE IDs: None
Severity Metric: 2.25
Date Public: 2007-09-07
Date First Published: 2007-09-07
Date Last Updated: 2009-04-13 20:02 UTC
Document Revision: 101

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.