Online services security report card

A lot of website security awareness has been raised over the last week since the release of a simple-to-use website user account hijacking tool called FireSheep.  The tool gives attackers temporary full access to your web accounts like Facebook, Twitter, and Microsoft Hotmail.  Many sites have been offering incorrect advice to just use force the website to run SSL, but my testing shows that sidejacking is still possible even when the site runs SSL.  Some people have suggested tools that go as far as rewriting the website’s javascript but we’re getting into deep water on complexity and the user shouldn’t have to re-engineer the websites they visit to protect their own user accounts.  Permanent fixes from the likes of Facebook, Twitter, and Microsoft are long overdue.image

Even though the vulnerability and easy exploitation online services have been well known since 2007, the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years.  Now that the problem can no longer be ignored because anyone can use the attack to steal other people’s account, I’m going to create an online services report card that will be updated over time.  Look below Figure 1 to see basic definitions of the various types of security breaches.

What are authentication cookies?

To save you the trouble of having to sign in with username and password every time you visit a website, websites use temporary (typically expires in days) authentication cookies that are automatically pulled from your cookie database and set to the server.  When the cookies expire, the user is prompted to type in their username and password which is often saved by the web browser.

SSL authentication

When you sign in with your username and password, the secure way to do this is when there is an “HTTPS” in front of the website and the certificate is verified by authorities like Verisign.  Your browser and operating system will keep a list of trusted Certificate Authorities (CA) and it will warn you when you visit a site that is signed by an untrusted CA.

Many websites don’t bother doing this and it makes it easy for someone to steal your username and password by putting up a fake hotspot and fake website.  This type of attack is very dangerous to consumers but it requires the attacker to perform an active attack which carries some small risk of being caught if authorities triangulate their wireless signal.  But in reality, there aren’t many resources allocated to tracking down this kind of attack, and the attack can be launched from a self contained box which vastly reduces risk for the attacker.

I and many other security experts have been hammering the U.S. banking industry since 2006 for failure to use SSL authentication and they finally fixed the problem years later.  Unfortunately, websites like Twitter and Facebook still haven’t learned.

SSL browsing support

When you’re browsing a website without SSL (when the address bar reads HTTP and not HTTPS), anyone can see what you’re browsing.  If this is Yahoo mail for example, people can read the messages you have loaded on the screen but they can’t go in and read other messages you’re not reading and they can’t send mail as you.

A website that does not support SSL browsing will not necessarily leak user authentication cookies since that’s a function of how careful the website developers are about their javascripts.  Ebay is a good example of this where no cookies are leaked even though Ebay users browse without SSL.image

Partial sidejacking

A partial sidejacking is where an attacker can get authentication cookies that allow them limited access to a user’s account.  For example, allows an attacker to browse the websites as the victim and attackers can see on Google maps saved addresses (including home address).  The same problem affects Yahoo but the attacker can’t access things like email.

Full sidejacking

A full sidejacking happens when the attacker can gain access to everything short of the username and password.  On Facebook, they can log in to Facebook as the victim and see all private data and even send or post messages on behalf of the victim.  The attacker usually can’t reset the password because sites like Facebook will ask for the old password to reset to a new password.

On Microsoft Hotmail, the attacker can see every email received and sent and send messages on behalf of the victim.  This potentially allows the attacker to reset other user accounts that are registered to a hotmail account.  Full sidejacking on an email account is very dangerous and it is surprising that Microsoft hasn’t fixed this yet.  Even if they only encrypted the authentication cookies using javascript and didn’t support full SSL mode, that would vastly improve security.  Google dragged their feet on Gmail for a year after sidejacking was widely reported in 2007 but they deserve credit for being one of the first to fix this problem and they’ve recently defaulted everyone to full SSL for Gmail.

Full hijacking

This is where an attacker gains access to the user’s username and password.  At this point, the attacker can do anything they want with the user’s data and account.  It is notable that attacking non-SSL protected protocols like POP3, SMTP, IMAP, and FTP are even easier because they can be done passively which is completely undetectable.  The attack is so simple that security conferences like DEFCON has an annual “Wall of Sheep“.  Attacking websites that fail to employ SSL authentication requires an active attack where the attacker has to set up a fake but realistic looking login page.

[Cross-posted at Digital Society]