Neil Turner's Blog

Blogging about technology and randomness since 2002

Security Schmecurity

Hari and I have just (inadvertently) found a flaw in a certain unnamed web site. She sent me a link to a page in her account details which I was able to click on and view all of her details as if I had logged in – without knowing her username and password. This is despite the fact that Hari uses a different ISP and is located around 200 miles away from me right now.
This is a major flaw, as you can probably guess. The situation was mitigated by the fact that the information was sent over HTTPS, making an attack by an unknown party less likely, but had Hari’s machine been infected with spyware or a keylogger then theoretically some random third party could have logged in and stolen her account.
I’m keeping the name of the web site anonymous for now, but I’ll give you a clue – it has around 5 million users around the world. Still, I’d prefer it if no-one tried to guess the identity of the site in the comments. But it does scare me that a web site like this would have such a big gaping hole in it, which could be so easily fixed with session cookies.
Update: It appears that the web site in question has fixed the flaw.

2 Comments

  1. A problem with PHP sessions? I’ve had one of these before with another site. Someone posted a link in an IRC channel which included his current PHP session details, I clicked on it and ended up logging in as him!

  2. I’m guessing that the URL had a session ID included in it?
    Personally I don’t see how that is less secure than cookies, cookies are just as easily pinched as the session ID if you’re sniffing the network. And a keylogger would already have got her username and password when she typed them in. And because it’s using SSL it really doesn’t matter in the slightest unless you actually send somebody the URL with the session ID in.
    No, whilst it’s prefferable to use cookies over session IDs the real security issue here is not locking the session to a particular IP address – and whilst that would cause problems for ISPs such as AOL, it would provide more security.