this is the security warning about login page of the more web sites that used the “remember me” option:
this security problem exist at many wide range of website that support “remember me”
read the story:
There is a wrong authentication with cookies on login page:
oh… please run step by step test at 2 computers:
1- (PC2) login to yahoo account
2- (PC2) change the password
3- (PC2) login to yahoo account with checked the “Keep me signed in”
4- (PC1) login to yahoo account (you cant because the password changed)
5- (PC1) reset password (using security questions and other way to reset the password)
6- (PC1) login to yahoo account
7- (PC2) open yahoo mail page (goto mail.yahoo.com) you can access the mailbox – remember at step 5 password changed but at PC2 you can access the mailbox.
ok (PC1 is your system and PC2 is hacker’s system)
short story:
a hacker, hacked the mail account (with social hack or …), change the password. the user wants to login the mailbox and he/she cant login because hacker changed the password. the victim has intelligence and goto the “forgot the password” section and reset the password with security question or alternative mail account, etc.
good. but hacker has still access to the account because hacker was login with the “Keep me signed in” option on login page. and the victim dosent know.
i think you have to change the “Keep me signed in” option to check the cookie, if password changed. (i think the site 2 weeks)
—————————-
at first, i send the report to yahoo, but this is not yahoo problem. yahoo is a sample site.
i don’t want to hack any site or site member’s.
and i dont want say, i know how to hack the sites.
this is a problem on cookies checking on login process of many sites.
this is not exploit, virus or other malicious software, this is a wrong development of login process.
i just say, the problem on cookies test on login process.
this is a news and its not any threat from hacker, this is a warning for developers and users.
