Magento Forum

   
Cookie Theft and Session Hijacking
 
kiatng
Enthusiast
 
Total Posts:  875
Joined:  2008-09-03
Kuala Lumpur, Malaysia
 

I reported the above vulnerability here: http://www.magentocommerce.com/bug-tracking/issue/?issue=13768

In short, the vulnerability is due to the fact that the frontend of Magento with SSL does not use secure cookie, this is apparent in line 178 in class Mage_Core_Model_Cookie::isSecure()

/**
* Is https secure request
* Use secure on adminhtml only
*
* @return bool
*/
public function isSecure()
{
if ($this->getStore()->isAdmin()) {
return $this->_getRequest()->isSecure();
}
return false;
}

To exploit this vulnerability, you can download an automated attack tool here http://fscked.org/blog/fully-automated-active-https-cookie-hijacking

A possible workaround is to secure the entire site (in system configuration, set unsecure URL to https;//) and remove the backend check in the above code so it will use secure cookie whenever https is detected.

Is there any other idea?

 
Magento Community Magento Community
Magento Community
Magento Community
 
ben_marks
Moderator
 
Avatar
Total Posts:  449
Joined:  2008-10-09
Charleston, SC
 

This same “issue” seems to affect gmail, yahoo, etc. Perhaps it’s not as big of an issue as it appears?

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Hi,

first of all: in case of security issues please mail them to security@magento.com.

It’s difficult to say if this is an issue because Magento usually mixes HTTP and HTTPS (first for category etc, last for login/checkout), so the cookie itself exists everywhere and is always transmitted.
A successful MITM attack lets you access the personal area of course, but don’t let you steal important data like credit card information.

“This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.” (as you write in the ticket)
Decrypting HTTPS is not a practical attack and can be, together with a MITM attack, used to simple inject your own code into the page and/or sniff complete login credentials (so no cookie value is needed anymore because you can simply login). But HTTPS is, right now, strong enough against cryptographic attacks, only a successfull break in into a CA like Thawte to rob the root certificate might be a way - but this is more theoretical then really practical, usually it’s cheaper to buy a crowbar and break into the hoster’s server room wink
An attack on HTTPS would by the way affect Google as well as Magento.

In this case I think you can’t simply change the cookie because Magento would start to seperate SSL and non-SSL sessions which would result in a mess (you won’t be able to login nor to check out anymore).

These are my thought on this report, anyway you can send it to security@magento.com and then we see what Magento itself says about this.

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
kiatng
Enthusiast
 
Total Posts:  875
Joined:  2008-09-03
Kuala Lumpur, Malaysia
 

Thanks for reading this up.

@blueben Actually, gmail had since use https by default. http://support.google.com/mail/bin/answer.py?hl=en&answer;=74765

@thebod I didn\’t know there is an email to report security issue.  So thanks.  Actually, it is not an attack on https. The attack is based on the fact that the session info is in plain text, which allows the MITM to work and impersonate the victim.

The issue is not just about if a site has something worth stealing or about protecting users\’ privacy. The issue is providing a secure application by protecting against all known vulnerabilities.

Incidentally, I just read Kevin Mitnick\’s Ghost in the Wires, which educated me about the important of security and how hackers work. I highly recommend the book to all web developers.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Kevin Mitnick’s books are good lecture wink

And basically you are right, Magento is not safe against a MITM attack from a local network.
To achieve this you would have to enable SSL on all pages, then the cookie will be transmitted encrypted too and it will be mroe safe. Unfortunately it’s not always possible to set every page to SSL (even if it should be, unfortunately too many people don’t even know what SSL is) - but this problem exists everywhere, not only in Magento.

 
Magento Community Magento Community
Magento Community
Magento Community
 
kiatng
Enthusiast
 
Total Posts:  875
Joined:  2008-09-03
Kuala Lumpur, Malaysia
 

I am no hacker.  But according to this http://fscked.org/blog/overview-web-mitm-vulnerability-surface (go to the last comment), the are several vectors besides LAN.

Yeap, I think putting the entire site on https is the way to go. I’ll see what the client intends to do.

 
Magento Community Magento Community
Magento Community
Magento Community
 
thebod
Moderator
 
Avatar
Total Posts:  81
Joined:  2010-08-11
 

Attacks against DNS and BGP are way more complex and, as far as I know, nothing that someone could do to hack a little shop.

Local networks (LAN/WLAN) are the easiest vectors to attack, I know of no reason where a big attack happened by massive hacks of DNS servers or attacks against the BGP to hack an online shop.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top