A new flaw in cookie handling that makes log-ins persistent has been discovered by security researcher Rishi Narang.
When a user logs into an account, the server sends a cookie â€“ a small piece of text â€“ that holds his session ID and tells the server he successfully passed authentication and should be served content without a further log-in prompt when navigating between pages.
Cookies are set to expire, either when they reach their validity date, or when the user logs out. The new discovery, however, reveals that a number of websites such as Yahoo, LinkedIn and Twitter still keep the cookie/session ID for an authenticated session valid even if they have expired or the Â user has logged out of his account.
According to the researcherâ€™s report, old cookies for these services can be simply added to the browser and they become valid immediately, even if they are expired or nulled via logout.
â€œâ€¦These cookies are days (sometimes months) old. As a result, someone can successfully access accounts that belong to individuals from different global locations. Even if they would have logged-in/logged out many a times, theirs cookie would still be valid,â€ reads the blog post.
The situation is even worse for Yahoo users. Earlier this year, a spam message redirected users to a malicious page where they had their cookies stolen. Most have been advised to simply log out of Yahoo services to render the stolen cookies useless for the attacker. If todayâ€™s report is true, some of the unauthorized account usage reports may still be the result of the cookie harvesting campaign in January, although those cookies should have gone rotten quite a while ago.