Twitter, Hotmail, LinkedIn, Yahoo Open To Hijacking 50
mask.of.sanity writes "Twitter, Linkedin, Yahoo! and Hotmail accounts are open to hijacking thanks to a flaw that allows cookies to be stolen and reused. Attackers need to intercept cookies while the user is logged into the service because the cookies expire on log-out (except LinkedIn, which keeps cookies for three months). The server will still consider them valid. For the Twitter attack, you need to grab the auth_token string and insert it into your local Twitter cookies. Reload Twitter, and you'll be logged in as your target (video here). Not even password changes will kick you out."
Not a new exploit (Score:5, Insightful)
This isn't exactly a new exploit (I remember the Firesheep event where someone made hijacking Facebook accounts like this user-friendly, but don't have a link handy). One problem with actually doing this is that you need access to the data as the victim's sending it (e.g. via sniffing unencrypted wi-fi, or physical access to the network that the victim is using); that still gives several possible targets (especially the wi-fi angle), but makes it much harder to use against arbitrary targets.
(The simplest fix, of course, is to use https for all cookie handling, which probably means https for every page access.)
So this is old news, although a reminder that this is still possible is definitely worthwhile.
SSL/HTTPS (Score:5, Insightful)
Using two cookies? (Score:3, Insightful)