[Security Issue] Session Hijacking Possible in Codechef and SPOJ

Hey Coders !

This is to inform you all that session hijacking is possible in both Codechef and SPOJ. Though it’s sad to see that platforms like codechef have such a security issues, in order to preventof session hijacking, you are requested to log out of the page as soon as you are leaving the page. This will destroy the session on the server and hence session hijacking will be prevented.

To check the proof of this you can follow the below steps:-

  1. Install some of the cookie managers, so that you can edit the cookie values. eg : EditThisCookie is the chrome extension for cookie management
  2. Log in to your codechef account in one browser.
  3. Open incognito window and load codechef.com [Don’t login here].
  4. Copy the cookie value from the logged in browser using javascript console. The name of the cookie must start with SESS.
  5. Copy this value and paste this to the incognito window cookie whose value starts with SESS. You have to use the previously installed extension in order to edit the cookie.
  6. Reload the page. You will be logged in.

You can use the same procedure to log in to spoj. But the name of the cookie is SPOJ there.

NOTE: Despite of the fact that I mailed this issue to Codechef 2 days back, they don’t care about it. So it’s upto you now to protect yourself.

Hey nickzuck_007, we have received your email and are looking into the vulnerability. We will respond to your email accordingly.

Hey @nickzuck_007, this is not a security loop hole. HTTP works on the concept of Session-Cookie mechanism. A user is identified via the session id that is saved in his cookie. It is possible that if you have a cookie of a user, you can imitate that particular user to whom the Cookie belongs.

A user will certainly not share his cookies with others to protect his account information on a website. The website also ensures that Cookies are not hijacked via Man-in-the-middle attacks by using HTTPS to transfer data. All in all, I can assure you that your account is safe, unless you are sharing a computer with another user and he has access to your Cookies. In that case, I would suggest you to logout after every use of CodeChef.

2 Likes

This means I have a way to log in to multiple browers and SPOJ still have that vulnerability. Am I correct with both statements ?