Posted in: Blog, Posted On: Apr 09, 2014, Posted By: cyberinfoadmin
Session Hijacking of Yahoo.com
What is a Cookie?
It’s a piece of information which stays in a computer after accessing the internet. There are many types of cookies; some are given below:
A session cookie lasts only for the duration of which a person uses internet. A web browser normally deletes session cookies when it quits. A session cookie is created when no Expires directive is provided when the cookie is created.
A persistent cookie will outlast users’ sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visits the website. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called tracking cookies.
A secure cookie is only used when a browser is visiting a server via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.
Session Working Diagram given below :
The downside in Yahoo server is that the session doesn’t get expired soon enough when a user logs out. Instead, it will remain there for 24-48 hours before getting expired! This means, once an attacker gets the victim’s cookies he/she can access the Yahoo account for 24-48 hours without password!
Step 1 :
I’m doing this Yahoo session hijacking on my ID itself so I’m going to use two browsers;
paid Webhosting (with Yahoo session stealer code)
Note, it won’t do webhosting for free due to security reasons.
Victim’s browser: Chrome
Attacker’s browser: Mozilla
Ask your victim to type in the URL. After a while, you can see the cookies appear in our webhosting!