We'll call her "Ellen," a typical online stock trader. Every other weekday morning, she logs in to her preferred online stock trading site and either buys, sells, or holds items in her portfolio. One morning, she scanned her stocks and, after checking the current market conditions, decided not to buy or sell. Yet shortly after she logged out she received an e-mail from the stock site confirming her purchase of 2,000 shares in a company she'd never heard of before. Logging in again, she found that, sure enough, her portfolio showed she now owned shares of that stock. More importantly, the stock was soaring in value. What happened here is not a flaw, per se, but a side effect of lax security employed on some Web applications. It's an unusual phishing tale that involves something called session fixation,
and it was a hot topic at last week's Black Hat Briefings in Las Vegas
In this fictional case, the online trading server checks to see only whether a valid session ID is present on the user's system. If not, the online trading server issues a new session ID, and, worse, let's say it does so in advance of a user authenticating his or her identity. This scenario allows a criminal to log in to that stock site, grab a freshly minted session ID, then turn around and e-mail the online stock site's URL--with that session ID appended to it--to several hundred customers of that site. Some of the recipients then click the link and in doing so, share their new session ID with the criminal. This allows him to eavesdrop on their transactions and, in this case, make a transaction.
Session fixation takes advantage of two things: one, the promiscuous nature of the Web applications handing out a session ID prior to authenticating the user; and two, the laziness of the some Web application in issuing a new session ID. Con artists already know about setting session IDs, and when combined with financial services sites, the results can be damaging.
Penny stocks, anyone?
A variant of the above scenario was presented at Black Hat. Researchers Chuck Willis and Rohy Belani of Mandiant, a security vendor, outlined one case study in which a real online stock broker found that several of its customers reported buying the same penny stock without their knowledge. Through forensic investigations, the researchers learned that all the illegitimate trades were identified with the same session ID, even though the users had individually logged in to their own accounts via their own IP addresses. Who ever did this then used the common session ID to log in to the stock site and begin executing a script that bought shares of that penny stock every 5 seconds.
Con artists already know about setting session IDs, and when combined with financial services sites, the results can be damaging.
With hundreds of people buying thousands of shares, the value of that penny stock quickly rose. What the researchers learned was that the potential number of victims could have been close to 1,000, but that many of the victims didn't bother to report the activity--they all stood to benefit from this trade; that is, if they sold quickly. But the few that did report it as suspicious helped lead the investigators to a phishing e-mail sent before the trade occurred. Within the e-mail, presumably from the online trading site, was a URL with the now-famous session ID tacked on the end. In this case, the investigation ended there, with the criminal cloaked among the hundreds who made a little money off the whole event.
It's important to note that almost every attack scenario using session fixation involves the criminal contacting the victim with a preset session ID within the target URL.
Sophisticated phishing attacks
Session IDs are supposed to make online transactions secure. Sometimes, though, they can come back and bite the Web applications using them, especially if they're not implemented properly. It's important to note that almost every attack scenario using session fixation involves the criminal contacting the victim and including a preset session ID within the target URL.
As long as the victim doesn't click the link in the e-mail, the attack isn't successful. But many people do fall for these sophisticated phishing attacks. If you view the source of the e-mail, the URL is legitimate--if you click it, you will connect to the proper Web site. Only the details at the end of the URL may be confusing. For example, the characters ?SID followed by a random number-letter combination would be a session-fixation attack.
What can be done?
On the Web server side, applications should not accept session identifiers from GET / POST variables or referrers from other sites, they should not accept session IDs not generated by the server accepting the sessions, and they should set expiration time-outs for all session IDs. Web servers should also not issue session IDs prior to authentication, nor should they reuse old session IDs. Every authenticated session should be unique. For more a detailed look at this topic, see this PDF file from Acros security; it's one of the first papers to coin the phrase session fixation.
For the end user, the obvious still holds true: Don't click finance-related links sent to you via e-mail, even if the address appears to be legit. I think phishing has eclipsed spyware as the biggest online threat these days--do you agree? Talk back to me.