Google, Yahoo, Microsoft vulnerable to authentication token flaw

Researchers at the United States Computer Emergency Readiness Team (US-CERT) have discovered a flaw in the way some Web sites handle authentication tokens. The agency issued an advisory Friday warning that some sites are transmitting authentication data, such as cookies without encrypting the entire session, even when the authentication material is initially set over an encrypted HTTP session.

US-CERT said it found Yahoo, Microsoft and Google to be among the sites transmitting the unencrypted data. Transmitting unencrypted information allows an attacker to impersonate the end user and view their gmail session for example as well as “take any action on the web site that the legitimate user can” US-CERT said in its advisory.

This isn’t the first time we’ve heard about this vulnerability. At Black Hat 2007, researchers at Errata Security presented their findings that user sessions at some Web sites can be hijacked by way of sniffing their authentication data through an open Wi-Fi connection. Users of Google’s Gmail, Microsoft’s Hotmail and Yahoomail are at risk as are users of Facebook and other Web 2.0 social-networking Web sites.

Two tools, created by Robert Graham and David Maynor, of Errata, are can conduct the sniffing fairly easily. They demonstrated the tools at Black Hat, briefly displaying an attendee’s Gmail session.

Shame on Microsoft, Yahoo and Gmail for not making security a priority by making encryption part of the default settings when a user logs in. Google allows users to use SSL to access their accounts, but only after the user goes into user settings to turn on SSL. The one positive is that some sites require the user to input their user name and password a second time when changing session settings, etc.

Technorati Tags: US-CERT, authentication+tokens, sniffer,