User session management: Into the phrase
In the digital routine, we might have parsed the phrase “user session management” several times. So, what exactly is session management? It is a ruleset that handles the interaction between a user and a web-based application. While using a web application, it is always essential to secure the user and the application connection. In an ongoing session, a user may submit several requests to the application. It can be critical and sensitive at times.
Each request/response will have a connected token that helps the application remember unique information about the user. Session cookies are present to help manage these sessions. However, several properties of these cookies require mindful configuration. Security shouldn’t go compromised here as modern-day attacks won’t spare the simplest ways of infiltration.
So, here is one of the success findings by Kishor, Security Analyst at ValueMentor, on improper user session expiry spotted on Google Nest. Without stretching time, let’s move on to the successful catch.
The spotted vulnerability in user session management
As a part of routine bug inspections, Kishor detected a vulnerability with the Google Nest application during the penetration testing exercises. The identified issue was that the user session failed to cease or expire even after a password change.
Detailing the discovery of user session management
Steps to reproduce
- He visited the site https://store.nest.com and signed up there.
- Created a login and entered the website on two browsers.
- Next, he logged off from one of the browsers and changed the password using forgot password option.
- Afterwards, he went to the other browser and refreshed the accounts page.
- The account page got loaded. The session was still active, although he changed the password credential from the other browser.
- The application failed to invalidate the session after the password change.
Impact of user session management
Although there was a change in password credentials, the old session resumed without being terminated. Hence, there shall be no way for the victim to revoke an attacker’s access if the account has already got compromised. The vulnerability was found true to evidence and reported to Google.
Discovered: May 24, 2019
Report Submitted: May 24, 2019
Report Accepted: June 26, 2019
Listed on Google honourable mentions
More about sessions and tokens
Sessions in a web application point to a data structure stored on the server which associates with a specific user. Typically, it gets initiated by user authentication and terminated by a log-off. Any session connected to a user get identified through tokens and delivered to the browser as a cookie. The browser then sends these tokens to the server and allows the retrieval of the session object. In this way, the context between a user and server gets maintained.
How to protect session identifier tokens?
Session hijacking is one of the primary attacks exploiting the cookies. The most common vulnerabilities relating to session identifier are;
- Not able to use solid cryptographic values as the session identifier.
- Not able to safeguard the confidentiality of session-id cookie.
- Failure to create a new session identifier after the login process.
Importance of proper user session termination
Based on the above facts, one thing sounds clear and conveyed, that you need to deploy a proper session termination. The communication between a user and server must go terminated upon user log-off. An improper session expiry can have diverse and unhealthy after backs. The following are the instances fuelling the situation;
Not able to invalidate user sessions upon user log off
While logging off, the session identifier cookie on the browser and session object on the server should go invalidated or expire.
Not able to invalidate sessions upon a specific period of user inactivity
The instance could give attackers the chance to regain or resume a deserted user session.
Failure to invalidate sessions when the user doesn’t log off but closes the browser
The condition allows the session to go regained in a new browser session.
So far, we have discussed a relevant finding that goes beyond the scope if not properly patched. Attackers are constantly evolving to new trends, and their way or intuition can vary beyond enterprise expectations. It is not always the big fish that catches the mouth of attackers. But they can infiltrate a simple vulnerability and extend their expertise afterwards. That is where session invalidation or proper session management matters. ValueMentor, as a cyber security firm, is always ready to let our hands-of support to all modern-day cyber requirements.