Christy Philip Mathew" in This Friday I was working with my co-security researcher "" in +The Hacker News Lab for testing the Cookie Handling Vulnerabilities in the most famous email services i.e Hotmail and Outlook. Well, both are merged now and part of the same parent company - Microsoft, the software giant.





There are different way of stealing cookies, that we will discuss below. In May 2012, another Indian security researcher Rishi Narang claimed similar Vulnerability allows an attacker to Hijack accounts in a very simple way, by just exporting & importing cookies of an user account from one system to attacker's system, and our results shows that even after logout by victim, the attacker is still able to reuse cookies at his end.There are different way of stealing cookies, that we will discuss below. In May 2012, another Indian security researcherclaimed similar vulnerability in Linkedin website.

Vulnerability Details Many websites including Microsoft services uses cookies to store the session information in the user's web browser. Cookies are responsible for maintaining a session in machines. Once a user logout from his PC, the session cookies should be invalidated and should not be allowed to reuse.

But in case of Hotmail and Outlook -- even after logout, one can use same cookies again and again to authenticated the session without requirement of the account password.

Proof of Concept cookie-importer' (Cookie Exporter' ( To Demonstrate this flaw, first of all readers should know about cookie importing and Exporting. A serious technical step ? No ,you just need a Firefox addon called '' ( download ) for importing and '' ( download ) for exporting cookies in browser.

Step one, login to your Hotmail OR Outlook email account, and go to cookie-exporter and save the file in your system, then logout your account (as shown below)





Step 2, Open another browser or any other system, where you should have cookie-importer to import cookies. Select the file exported in last step and import it.

Step 3, Once imported, just open outlook.com or hotmail.com in your browser on 2nd system and you can check that, the victim's account will login automatically, using same cookies.



Video Demonstration



Working Live Example for Readers

For a live working demo for our readers, we have created an account on outlook.com , where email is test_security0@outlook.com and password is .....? Nahh you don't that !





cookies.txt file 'Update - now removed from server, please test at your system). Once you (attacker) have cookies, just open your browser and import cookies using add-on as shown in above steps and after that visit outlook.com. 'let me know via comments on this post' what you have ! We have export cookies of our account in a text file and readers can downloadfile ' Here ' (). Once you (attacker) have cookies, just open your browser and import cookies using add-on as shown in above steps and after that visit' what you have !





Why researcher choose Public disclosure ?

Being a responsible Security News media 'The Hacker News' always suggest hackers and researchers to first report only to the vendor about each possible vulnerability. Christy had reported to the Microsoft Security Team and received the following response





Microsoft Security Team close the ticket just by saying that, cookies are transferred over HTTPS in encrypted manner and password of the account can not be changed without re-authentication . They accepted that this flaw is not any serious vulnerability, so Christy choose Public disclosure.





Either Microsoft team didn't understand the impact factor or they don't want to ? Why one need to change the password, if he can access mails, can delete, send, backup with just cookies!





Possible Implementations of Account Hijacking

At the end, most important part, how to steal cookies ? A cookie is usually a small piece of data sent from a website and stored in a user's web browser. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.





Because cookies having a parameter called 'domain' which is equals to the domain name of the website which is creating that cookies in browser and only same domain is able to read respective cookies from browser.





There are various ways, attacker can steal cookies depending upon various factors:





1.) Having physical access to victim's system (Success Rate - 100%): As shown above, if the attacker can get the physical access to the victim's system, one can easily export cookies of logged-in account to a text file and then can take it to another system for hacking purpose.



If one have physical access, he can do many more things, then why just stealing cookies ? Because once attacker has the cookies, he can reuse it again and again that for re-authentication , even after victim logout the session from his end any number of times. So, no change that victom's will ever come to know thar his account is compromised.





2.) Victim and Attacker are in same Network (Success Rate - 50%): If attacker and victim are using same lan/wifi network, Man-in-the-middle attack can do this sort of thing using SSL strip like tools.





Session Hijacker" in that. There are lots of similar tools available for this purpose. One of the best and portable tool for performing session / cookies hijacking overs HTTPS is possible via an Android penetration testing application called " dSploit " , having option "" in that. There are lots of similar tools available for this purpose.





3.) Cross site scripting in Hotmail and Outlook (Success Rate - 100% if xss exist): Internet giant companies like Google, Paypal, Facebook pay thousands of dollars as bug bounty for Cross site scripting because these vulnerabilities can be used to steal user's cookies for account hijacking.



So if someone found XSS vulnerability in Hotmail or Outlook in future, he will be able to steal cookies by crafting malicious links. In this method, the combination of cross site scripting vulnerability and Cookie Handling Vulnerability will lead to account hijacking of Hotmail and Outlook accounts.



For example, Just a few days back, an unknown hacker was selling an



4.) Malwares and Stealer (Success Rate - 100%): Victim PC can be in hacked using a Auto Cookie stealing Malware (that is currently under beta testing in by the team) or any RAT tool can allow attacker to get your cookies remotely.



Internet giant companies like Google, Paypal, Facebook pay thousands of dollars as bug bounty for Cross site scripting because these vulnerabilities can be used to steal user's cookies for account hijacking.So if someone found XSS vulnerability in Hotmail or Outlook in future, he will be able to steal cookies by crafting malicious links. In this method, the combination of cross site scripting vulnerability and Cookie Handling Vulnerability will lead to account hijacking of Hotmail and Outlook accounts.For example, Just a few days back, an unknown hacker was selling an exploit in $700 that allows individuals to hijack a Yahoo! email account, in that case hacker was using a cross site scripting in one of the domain of Yahoo website.Victim PC can be in hacked using a Auto Cookie stealing Malware (that is currently under beta testing in by the team) or any RAT tool can allow attacker to get your cookies remotely.

Vulnerability Timeline

Vulnerability Discovered -Vulnerability Reported -Reply from vendor -Vulnerability Public Disclosure -We hope, Microsoft will take the issue seriously as soon as possible to fix the issue!