Hijacking Office365 sessions with “Dead” Cookies
I’ve been investigating for some time the security that Microsoft Office365 platform is offering and what are the weak points that may be when working with our data on the cloud, analyzing the communications being carried out with the use of sniffers, different browsers and operating systems (including Windows 8.1) as a workstation role. So today I’ve found out an article about this that really got my attention written by Ms. Smith, attractive enough to put it to test right away.
Session Hijacking: The theory
Normally whenever we access a web service with some user and password, one or more cookies are stored in our PC, allowing the access to that web service without introducing the credentials again by saving them into it, so the system understands there’s no need to identify yourself again because you’ve already done so.
So what happens if someone gets his hands on those cookies? Well it’s simple, if the status of those cookies are alive, then he could make use of the users session inside that web service without needing not even a single password. A few popular examples of these are FireSheep in Tuenti, or Facebook Apps binary cookies. Besides the problem is when these cookies get the status of «dead» without being totally dead, leaving the session open even after the user is logged off the web service, as we saw in the famous LinkedIn cookies case. Well Microsoft’s Office365 is not an exception and can be hijacked with a stolen cookie even after the user has logged off.
Microsoft Office365 session hijacking: PoC
Following Ms. Smith article, I decided to use a Windows 7 workstation and install Google Chrome browser with the «Edit my cookie» plugin. Once installed I logged in to my Microsoft Office365 portal using Chrome:
Once I was inside, I clicked on the upper right cookie button and selected «Export Cookies«:
Then opened a notepad and pasted the info I’ve exported with the cookie info that holds the Microsoft Office365 session:
I saved it as a txt file on my desktop and logged off my Office365 session, until now that session should be killed already so even If a wanted to, I couldn’t access to my info again.
So I got another workstation running (this time with Windows 8.1) and pasted to the desktop the txt file:
I also installed on this machine the Google Chrome Browser and the «Edit my cookie» plugin, and browse to the Microsoft Office365 login page. Once I’ve got there, I clicked on the upper right cookie button and selected «Import cookies» and saved changes:
Once the process was done, y entered again the same Microsoft Office365 login page by retyping the URL on the address bar without closing the browser, and there it is! I got it to all my info, without entering a single letter of my password.
How to mitigate the cookie stealing inside Microsoft Office365:
Getting a Microsoft Office365 session cookie needs another combined attack, like accessing local files locally, cheating a user for getting into a Man in the Middle scheme or finding a client-side vulnerability that enables you to access the cookie. It’s not that easy but it’s possible though because of the behavior of the cookie as it should be killed totally when logging off to mitigate this problem. On Raul Siles article about Session Management Cheat-Sheet we can find some security measures that should be applied to session cookies.
Microsoft has confirmed they’re working on it to fortify security of sessions, but meanwhile make sure you’re cookies are not held by other hands, so I recommend to always clear your browser cache and make use of the Internet Explorers In-Private functionality (Ctrl+Shift+P) as this allows the no use of session cookies to be stored on the local PC.