On June 22, 2007 Susam Pal and Vipul Agarwal published a security advisory on Orkut vulnerabilities related to authentication issues. [6] The vulnerablities are considered very dangerous in cybercafes, or in the case of man-in-the-middle attack as they can lead to session hijacking and misuse of legitimate accounts. [7] The vulnerabilities are not known to be fixed yet and therefore pose threat to the Orkut users.
A week later, on June 29, 2007 Susam Pal published another security advisory which described how the Orkut authentication issue can be exploited to hijack Google and GMail sessions and misuse the compromised account of a legitimate user under certain conditions.
Joseph Hick performed an experiment on the basis of the advisories published by Susam Pal, to find out how long a session remains alive even after a user logs out. [8] His experiment confirmed that the sessions remain alive for 14 days after the user has logged out. It implies that a hijacked session can be used for 14 days by the hijacker because logging out does not kill the session.Next
No comments:
Post a Comment