Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-13217

Remember me cookie leak

XMLWordPrintable

      This is very theoretical but I think you'll agree with the conclusion I make.

      The "Manage “Remember Me” login keys" section in the UCP lists the current users login keys, currently this displays the ID (the login key), last IP and last use time.

      The login key is an MD5 hash of the cookie stored in the users browser, a theoretical XSS attack against phpBB could allow an attacker to steal the login keys for a user. Alternatively a user could inadvertently publish the login keys without realising the consequences.

      An attacker after stealing the login keys can brute force the MD5 hash, given a single GPU this is possible in < 30 years. Applying parallel processing this time could be reduced to under a month (less than the default validity period.)

      Given the login key is useless to the user, I don't see a valid use case to reveal it and possibly allowing it to be collected by an attacker. A savvy user could compare the cookies and login keys to work out which browser is which in their list. To aid usability the current login key should be highlighted somehow within the list.

            Marc Marc
            ToonArmy Chris Smith
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: