Uneasy trend - Static Webmail Session IDs

[thehorse13]

Lately I have taken special note of the increase in webmail use at my facility. This is the normal response when restrictions are placed in our acceptable use policy for internal e-mail use.

The Issue:
=============================
Static webmail session IDs

Example:
=============================
http://ms04.mrf.mail.rcn.net/wm/mail...ail&mbox=INBOX

NOTE!!! I changed the SessionID so don't bother trying to get into this account.

The Guilty
=============================
Well you can easily see that RCN is at fault here but they are not alone. *MANY* ISPs are using this lazy approach. My advice to you is to copy the URL to your webmail session to a text file then take it to another PC and see if you can access your inbox. I have a list of 37 ISPs who currently employ this horribleness. I have informed each and every one along with the user. So far, only 3 have made changes.

In the past, I used to be able to release info on problem ISPs but DHS has spoken and I no longer can without a ton of red tape traversal. Just do yourself a favor and be sure that your ISP doesn't set static sessionIDs on your webmail sessions. Think about what I can do if I can gain access to your account this way. Muhwahahahaa.

Seriously though. I can't say it enough. Check into it.

--TH13

[chsh]

I've seen more than just webmail implement this. Certain forum software was vulnerable this way as well. In most cases I've seen the developers opted to rely on their own method of generating SIDs, which was often non-random due to how the SIDs were generated.

All I can say is if you are implementing webmail (far easier than it sounds), go with Horde. The Imp and Turba packages are all you need for just standard webmail.

Edit: Yeah, misread the original message.

[The Grunt]

I'm actually surprised you rely on an ISP to run webmail for ya horse, I was under the impression you worked at a large organization.

I think he means people logging on to their home ISP's email accounts from work.
Horsey is our government guy. That is a very large organization.

[thehorse13]

Yep, these are personal accounts being accessed. You should know me better than that.

[Simple Simon]

Call me thick, (no... no... I didn't mean it!), but I'm not entirely sure what the thehorse13 means by "Static webmail session Id's"

I guessed, after looking at my webmail URL when logged in, thehorse13 was typeing about the use of variables in the URL. Mine has these if they are preceeded by a %.

If I'm wrong would someone tell me I'm thick and then enlighten me?

Thanks.

[chsh]

You're thick. :P

A Session ID is just a unique identifier for a particular "visit" (Session) to a piece of web software. Having static session IDs is bad because it means someone can copy your URL and always get to your mailbox from wherever they like in many cases, though not all. The entire system is a kludge way of turning web software into desktop software, and there are a number of issues to take into consideration when designing web-based software . HTTP was not meant to be a persistent connection client-server protocol, and a lot of issues arise from it.

Now, these session IDs can be stored in a number of places, among which is the URL. Commonly they are put in URLs, "Session cookies" (a special type of cookie/header that expires when the session is terminated), or in real Cookies. Some bad implementations also rely on POSTed variables (<input type="hidden"&gt.

[Simple Simon]

Thanks for that chsh. That makes sense to me. So I can't be completely thick! lol

One further question then, if I may? How can I tell that the URL that thehorse13 placed in his posting uses a static webmail session id?

More importantly how do I know if my URL, when logged into my webmail, uses a static session id?

You've scared me now. Not that I use webmail a lot, only occasionally, but I'm wondering how secure it is!

[thehorse13]

Take a closer look. There is a sessionID=(lots of letters and numbers) statement in there.

[Simple Simon]

Thanks for that thehorse13. Needed to look at the full string as displayed at the bottom of IE (I know, I know IE, but I'm at work and have no choice! LOL).

Boy do I feel like an idiot now! How obvious was that!?!

Time to go home me thinks!

[EDIT]
Just been to my webmail logged in, captured the URL in the address bar, logged out, then pasted the URL back into the address bar. It gave me an error, saying I had logged out, etc, etc.

So feel a little relieved now!
[/EDIT]

[Tiger Shark]

It's kinda fun catching these when people try to get to their webmail from work.... If they are static you can then send them an email from their own account pointing out the danger.....

They seem to stop trying to use their webmail from work really quickly ....