Leading ecommerce websites vulnerable to a security breach in randomly generated session IDs.SAN FRANCISCO, CA - February 15, 2005
Zvi Gutterman and Dahlia Malkhi from the School of Computer Science at the Hebrew University in Jerusalem, and Beyond Security, a leading developer of vulnerability assessment and self-management solutions, today announce that through the use of predictive algorithms, randomly generated session IDs can be breached. Session IDs are the most common method ecommerce websites use to track specific customer activities on their site. Gutterman, who will present his findings at the RSA Conference in San Francisco on Tuesday, February 15th at 3:25 pm, will show how Java Servlet 128-bit randomly generated session IDs can be breached and what ecommerce websites can do to secure themselves and their customers from this breach.
The success that online retailing has experienced over the last decade is due to the ability of the Internet to enable a personalized shopping experience 24/7. To offer a personalized experience when using HTTP (Hyper Text Transfer Protocol) protocol, the online retailer's web server must 'remember' specific customers' preferences including 'shopping cart', pages visited or any other parameters. This memory link between the online retailer's web server and the customer's web browser is established through the use of randomly generated session IDs.
The research conducted by Gutterman as part of his PhD dissertation uncovered a way to predict the randomly generated session IDs that enable 'hijacking' an HTTP session and pretending to be the original customer.
Online retailers that enable existing customers to make a purchase during their normal browsing session are particular vulnerable to this breach. In this case, the server uses a customer's credit card details already stored on the server. The decision to debit the credit card is based solely on the identification of the customer's session ID. In this scenario, an attacker that can guess a valid client ID can easily hijack the client's session, obtain client profile data such as personal preferences, and order merchandize paid for by the hijacked client. A similar hijacking on a financial services website like a banking or brokerage website could result in even greater damages. Other scenarios include hijacking web-based email applications like Hotmail or Gmail, or hijacking any other web-based transaction where the web server and the client's browser are identified through randomly generated session IDs.Once this breach was uncovered, Beyond Security worked with Gutterman on the development of a practical attack which enabled testing the theory. Beyond Security also posted a security alert on their SecuriTeam.com IT security portal: http://www.securiteam.com/securityreviews/5TP0F0UEVQ.html
As leaders in the field of vulnerability assessment and management, Beyond Security is working with web application software vendors and leading websites to ensure that all measures possible are being undertaken to safeguard customer information.
"Zvi's research is very important because it addresses a vulnerability that is so prevalent on so many ecommerce and financial services websites, where security professionals felt that randomly generated session IDs where impenetrable," said Aviram Jenik, CEO of Beyond Security. "In penetration testing conducted at Beyond Security we discovered more than 11,900 vulnerable servers from a small sub-set of web servers. Realistically, the problem Zvi uncovered effects hundreds of thousands of web servers that support sensitive financial transactions every second." For more about Zvi Gutterman's presentation at the RSA Conference in San Francisco on Tuesday, February 15th at 3:25 pm please go to:http://2005.rsaconference.com/us/general/presentation_info.aspx?id=9361
About Beyond Security
Beyond Security, a privately-held company, develops leading vulnerability assessment and self-management solutions that facilitate preemptive, real-time and continuous network, server, database and application security. The company was founded in 1999 by the founders of SecuriTeam portal (www.securiteam.com), a leading source for vulnerability alerts and solutions serving 1.5 million monthly page views to IT security professionals. Beyond Security's founders are great believers in automation, which is why the company sells tools instead of using them to provide services. Beyond Security's goal is to decrease the number of security holes in products to manageable levels and empower software vendors to release secure products. For more information, visit www.beyondsecurity.com.