Dear Brian Eaton, --Monday, September 11, 2006, 7:35:08 PM, you wrote to [EMAIL PROTECTED]:
>> >> Network is compromised as long as attacker keeps control under >> compromised host regardless of authentication. And sometimes longer. BE> - the spyware has access to the web mail system for as long as the BE> token is in the machine BE> - once the token is removed, the spyware can continue accessing the BE> web mail system until the web mail system session expires BE> So the damage is limited to what is stolen during the session, while BE> with a password-only system the account could be used for an BE> indefinite time period, i.e. until password change. Not exactly. As you said, token will be used for initial authentication, but cookie will be used for session tracking. Everything depends on cookie expiration time and how it's implemented. If cookie never expires, or expiration time is long enough to keep session between user logons to Web mail - intruder can keep using session with same cookie. If IP is not checked for cookie - intruder can use cookie offline from his host. If IP is controlled, but cookie is automatically refreshed or expiration time is high, intruder can use compromised host as a 'bot' to keep session alive, even after user logoff. Intruder can redirect client's traffic to his own host and use it as a proxy to web mail, to keep session from his host to web mail after user finishes. A lot of different scenarios to keep session after token is removed. -- ~/ZARAZA http://www.security.nnov.ru/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
