Announcement

Collapse
No announcement yet.

Stealing your TG login session

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stealing your TG login session

    I just saw this article on Sophos and noticed that TG sessions are not encrypted:

    http://nakedsecurity.sophos.com/2010...security-hero/

    If you log in to TG over unencrypted wireless, others in the area can sniff your session cookie and pretend to be you on TG (or other forums and web systems that don't remain in HTTPS encrypted mode for the entire session).

    Is there a way to get vBulletin to stay in HTTPS mode after login?
    Dude, seriously, WHAT handkerchief?

    snooggums' density principal: "The more dense a population, the more dense a population."

    Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

  • #2
    Re: Stealing your TG login session

    This also affects logging into Facebook and other forums that don't support HTTPS. Don't use unencrypted wireless (typically supplied "free") when using such services or the guy sitting next to you might hijack your session. He could then change your password and email for the service and take over the account.
    Dude, seriously, WHAT handkerchief?

    snooggums' density principal: "The more dense a population, the more dense a population."

    Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

    Comment


    • #3
      Re: Stealing your TG login session

      Originally posted by ScratchMonkey View Post
      I just saw this article on Sophos and noticed that TG sessions are not encrypted:

      http://nakedsecurity.sophos.com/2010...security-hero/

      If you log in to TG over unencrypted wireless, others in the area can sniff your session cookie and pretend to be you on TG (or other forums and web systems that don't remain in HTTPS encrypted mode for the entire session).

      Is there a way to get vBulletin to stay in HTTPS mode after login?
      Well, I question your conclusion that you can hijack a users session using nothing other than the session ID obtained through sniffing. How are you recreating the rest of the cookie and client-side authentication data? Additionally; you wouldn't need to sniff any session ID or cookie data if you're able to capture a username/pw during the initial authentication process.

      That being said; no.. We can not force the entire site to run over SSL. To start, that would add a HUGE process load on the server side having to deal with encryption for every connection, never mind cause issues with a lot of other parts of TG that can't deal with the SSL-only interaction that would be necessary to make it work.

      Authentication on most sites, including TG, uses multiple factors to identify a user and provide session integrity beyond a session identifier. Only EXTREMELY poorly code would rely on nothing more than a session ID for authentication. I could tell you a story about a national bank that I once did some work for that had a flaw similar to what you're describing that I was able to successfully exploit in a matter of minutes, and even then it *WAS* using an SSL protected session. I COULD tell you the story, but that would be a violation of my NDA. :)

      Logging into ANYTHING over unencrypted wireless is inadvisable in general. Personally; I stay away from unprotected wireless networks completely.
      Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

      Comment


      • #4
        Re: Stealing your TG login session

        Thanks for the quick response. I'm not savvy enough with how sessions work to know why this wouldn't work. Is a new cookie negotiated with every transaction? Isn't the heart of the attack a replay attack that uses the session cookie over a NAT'd IP to pretend to be the other PC's browser?

        Is something like an SSL wrapper applied to just the cookie to conceal that from sniffers?

        A link to info on how to defend sessions without SSL would be welcome. Presumably this is well-documented in the security community.
        Dude, seriously, WHAT handkerchief?

        snooggums' density principal: "The more dense a population, the more dense a population."

        Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

        Comment


        • #5
          Re: Stealing your TG login session

          Originally posted by ScratchMonkey View Post
          Thanks for the quick response. I'm not savvy enough with how sessions work to know why this wouldn't work. Is a new cookie negotiated with every transaction? Isn't the heart of the attack a replay attack that uses the session cookie over a NAT'd IP to pretend to be the other PC's browser?

          Is something like an SSL wrapper applied to just the cookie to conceal that from sniffers?

          A link to info on how to defend sessions without SSL would be welcome. Presumably this is well-documented in the security community.
          A new cookie is not negotiated with every transaction, but elements of your session stored both on the TG side and client side need to match with the information also stored in the cookie client-side.

          Compromising a user's session on non HTTPS connections is certainly doable using a variety of methods, but you will generally need more than just a session ID. A replay attack using the same session ID would likely get you the ability to view a page, but continued navigation after that point could be problematic.

          Defending sessions not protected by SSL is best done by not using networks that create that added risk, such as open wireless.

          I did somewhat lie when I said I never use open wireless, but when I do, I use my Cisco VPN client on my laptop to connect back to my firewall at home (Cisco PIX 501) and then browse from there. All my traffic over the open wireless is encrypted via the VPN and then my browsing sessions originate from my home IP address.

          If you use open wireless frequently; you could do something similar. You could very likely find free and open-source software to build the VPN!
          Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

          Comment


          • #6
            Re: Stealing your TG login session

            Interesting article here on the back and forth of securing wifi against FireSheep:

            http://www.boingboing.net/2010/11/10...esnt-shea.html

            I vaguely recall some home ISPs forbidding VPNs without a "commercial" package, because VPNs are only legitimately used for home business. Do ISPs still forbid VPNs in their TOS? There's also the "no servers" provision of residential ISPs to worry about. Using one's office router for its VPN is likely to subject one to the company restrictions on acceptable use, so is not desirable unless the user owns the company. Are there off-the-shelf home routers that offer VPN capability for roving users? Presumably it would need Dynamic DNS support so one could find one's home router while traveling.
            Dude, seriously, WHAT handkerchief?

            snooggums' density principal: "The more dense a population, the more dense a population."

            Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

            Comment


            • #7
              Re: Stealing your TG login session

              Originally posted by ScratchMonkey View Post
              Interesting article here on the back and forth of securing wifi against FireSheep:

              http://www.boingboing.net/2010/11/10...esnt-shea.html

              I vaguely recall some home ISPs forbidding VPNs without a "commercial" package, because VPNs are only legitimately used for home business. Do ISPs still forbid VPNs in their TOS? There's also the "no servers" provision of residential ISPs to worry about. Using one's office router for its VPN is likely to subject one to the company restrictions on acceptable use, so is not desirable unless the user owns the company. Are there off-the-shelf home routers that offer VPN capability for roving users? Presumably it would need Dynamic DNS support so one could find one's home router while traveling.
              It all depends on your ISP. I can't speak for other companies, but as far as I know, AT&T has no such VPN restriction.
              |TG-18th| Acreo Aeneas
              TG World of Tanks Clan Executive Officer
              Former 9th & 13th

              Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
              Still can't say it? Call me Acorn then. -.-





              SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

              TG Primer and Rules

              Comment


              • #8
                Re: Stealing your TG login session

                Really old thread.. But I figured I'd update it anyway now that everything on TG is SSL capable now.

                4 years later, scratchmonkey, and I got you your https!
                Diplomacy is the art of saying "good doggie" while looking for a bigger stick.

                Comment


                • #9
                  Re: Stealing your TG login session

                  Wait wasn't this about TG's unencrypted TS connections? Aren't they still unencrypted? (Not that we need them to be encrypted given the tokenization process and privileges structure in TS3.)
                  |TG-18th| Acreo Aeneas
                  TG World of Tanks Clan Executive Officer
                  Former 9th & 13th

                  Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
                  Still can't say it? Call me Acorn then. -.-





                  SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

                  TG Primer and Rules

                  Comment


                  • #10
                    Re: Stealing your TG login session

                    I didn't realize this thread is so old, but this is why I try my best to draw TG users to the forums. It's very important that we know you by both voice and text. Otherwise, if something like this does happen to you, how are we to say that it's not you actually angry or drunk on the forums?

                    It's easy enough to say that if Wyzcrak or Apophis were posting in threads all racist or vulgar, they've likely been hacked and it's not who they truly are. I'd like to think the same thing can be said about me because of my active voice in the community.

                    That said, there are lot of new players who do not frequent the forums. We all vaguely know you from your voice, and it is likely that we will build that trust as time flows ever forward, but without a track record to gauge against, it's hard to say what any one person is going to post in text in these forums, or say on TS for that matter.

                    Mom
                    Games lubricate the body and the mind. - Benjamin Franklin
                    Ever since the beginning, to keep the world spinning, it takes all kinds of kinds. -Miranda Lambert

                    You're a 34, Mom. Thirty. Four.
                    Forever Perplexed

                    Comment


                    • #11
                      Re: Stealing your TG login session

                      you know, the thread title scared me at first.



                      Interested in listening to guitar playing and a good conversation, look for me on TS.

                      "Hope is for the weak. I hope for nothing. I work for things. That is the only way for events to unfold." -Cleverbot

                      Comment


                      • #12
                        Re: Stealing your TG login session

                        The thread is about forum logins, not TeamSpeak. My concern was the new (at the time) Firesheep exploit that allowed people sitting next to you in an unpassworded wifi cafe to steal your forum session for some kinds of forum software.

                        Firesheep - Wikipedia, the free encyclopedia
                        Dude, seriously, WHAT handkerchief?

                        snooggums' density principal: "The more dense a population, the more dense a population."

                        Iliana: "You're a great friend but if we're ever chased by zombies I'm tripping you."

                        Comment


                        • #13
                          Re: Stealing your TG login session

                          Scratch! Where have you been man?

                          Hmm, now that I read it over again, I'm not sure why my mind inserted "teamspeak" between "TG" and "login". My fault for derailing Apo's attempt to say "it's fixed!". :)
                          |TG-18th| Acreo Aeneas
                          TG World of Tanks Clan Executive Officer
                          Former 9th & 13th

                          Pronounciation: Eh-Cree-Oh Ah-Nay-Ess
                          Still can't say it? Call me Acorn then. -.-





                          SSDs I Own: Kingston HyperX 3K (240 GB), Samsung 840 Pro (256 GB), Samsung 840 EVO (250 GB), Samsung 840 x 2 (120 GB), Plextor M5S (120 GB), OCZ Vertex (30 GB)

                          TG Primer and Rules

                          Comment

                          Connect

                          Collapse

                          TeamSpeak 3 Server

                          Collapse

                          Advertisement

                          Collapse

                          Twitter Feed

                          Collapse

                          Working...
                          X