SECURITY UPDATE |  |
| Release Date: | 2011-11-21 (Last update can be found below the document title) |
| Description: | Session Cookie Replay Attack |
Criticality Level: | Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | Easier Session Hijacking |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Securus Global |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/4ef50c16d8ac570c2a6c091f5105c5c96194526b |
Summary:
A security audit has identified that the "stay logged in" login cookie for a given user will always have the same value, until the user changes their password or performs another similar action. This cookie is also set as a session cookie even when the user doesn't select "stay logged in", though in this case it is not persisted to their local disk.
The impact is that if the user's cookies are stolen, the attacker has the means to log in to Canvas as that user repeatedly, and for an indefinite period of time (until the user changes their password). Note that all communication with Canvas Cloud is over SSL, which makes stealing the user's Canvas cookies much more difficult.
Status:
A modification to Canvas has been developed which makes the "stay logged in" cookie a one-time use token that changes value for every user agent and every authentication. Future development will also place sensitive actions behind a login prompt when the user is authenticated through this token, forcing them to re-authenticate before performing such actions.
