Telecom Italia Cookie Handling vulnerability allows hackers to hijack email accounts
A cookie is a piece of data that is issued by a server in an HTTP response and stored for future use by the HTTP client. Quite simply, a cookie is a small text file that is stored by a browser on the user’s machine. Cookies are plain text; they contain no executable code. The client then re-supplies the cookie value in subsequent requests to the same server. This mechanism allows the server to store user preferences and identity individual users.
One of the biggest issues in cookie mechanism is how to handle them. In short, the server had no way of knowing if two requests came from the same browser, called Cookie Handling vulnerability.
'Piero Tedeschi' reported a similar issue in 'Telecom Italia' (http://www.telecomitalia.it/), the largest Italian telecommunications company, also active in the media and manufacturing industries.
This vulnerability allow a malicious user to hijack multiples accounts, just by exporting and importing the cookies from the victim's browser and can reuse it even after Logout.
Once you logout, normally a website should not reuse same invalid cookies, but if you are Telecom Italia user, you can reuse same cookies again and again to authenticate session without providing your username or password.
Proof of Concept:
1) Login to Telecom’s website.
2) Export cookies with any cookie handling browser extension (for example Cookie Exporter->Chrome) and save it in a text file (“cookie.txt”) on your computer system.
3) Now Logout and import (for test, you can use another browser) same cookies that you have saved on your computer system, with a browser extension (for example Cookie Importer->Firefox) on another system.
4.) After importing cookies, just refresh page and user will get access to Telecom Italia's accounts without authentication.
This vulnerability is tested on these e-mail:
Telecom Italia also provide emails address @tin.it and @tim.it which are also supposed to be vulnerable to this method.
How to create email for Telecom Italia: You can create an email from Virgilio (http://www.virgilio.it) for free.
Attack’s Methods (Stealing Cookies): To steal cookies there are many methods i.e
- Cross Site Scripting (XSS) with a Cookie Stealer in php
- Physical Access
- MITM (Man in The Middle attack)
Similar flaw was last year reported by us in Hotmail and Outlook, which are still vulnerable.