Cookie Re-Use in Office 365 and Other Web Services


Hacking into my American Express Account Without a Password

Note: I just tested it with a time delay, and the stolen cookie stops working after ten minutes of inactivity, so that lowers the risk to some extent. -- Added 11:19 am 7-23-13

Hacking into my Chase Account Without a Password

Note: I just tested it with a time delay, and the stolen cookie stops working after ten minutes of inactivity, so that lowers the risk to some extent. -- Added 2:07 pm 7-23-13


In 2012, The Hacker News posted this article showing that stolen cookies can be re-used in Hotmail and I wondered if it was still true, and I easily reproduced it using Chrome and the Edit This Cookie Extension.

Why this is Important

There are many ways of stealing cookies; XSS, malware, or just stealing your phone. And the person with the cookie can still use your account after you log off. Office365 even lets attackers continue to use old cookies after you change your password, and after copying the cookies to a different machine.

So the "Log off" feature is the opposite of security--blocking the authorized user but not blocking attackers.

Why doesn't logging off cancel the cookie? That is obviously the intent of the user who clicks it. This seems like a bug to me. However, Microsoft was notified last year and decided they like it this way, as detailed in the Hacker News article.

Please Help

Please test more services and tweet results to me @sambowne

Click here for step-by-step instructions.

Here is the list of sites I and others have tested so far.

Allow Cookie Re‑Use

Deny Cookie Re‑Use


American Express (E)
Chase (E)
Discover Card (J)
@askRegions Bank (I)
TDbank (G)
Bank of America (L)
Arizona Federal Credit Union (L)


Amazon (A C)
IBM (including Many Eyes)
NetFlix (F)
TigerDirect (A C)
Woot (M)
Newegg (N)

Email & Social

Chrome App Store (A C G H)
iCloud (C K)
Office 365 (A B)
Soundcloud (G)
Twitter (C K)
Yahoo mail
YouTube (D G H)


The Guardian
Huffington Post
The New York Times
The Register
Ars Technica


Packet Storm (G)
Cloudflare (Fixed on 7-25-13)
Need My Password


NameCheap (I)
WHMCS (G) (tested by @nicoduck)
Insight (CCSF's Online Course System)


A Cookie still works after password reset! (ty @dakami for asking this question)
B Cookie still works when copied to another machine (ty @0x90NOP and @winremes for asking this question)
C Cookie still worked after 12 hours logged out
D Cookie no longer worked after 12 hours logged out
E Cookie expires after 10 minutes
F Tested by @privacyfanatic
G Tested by @_KrypTiK
H Verified by @sambowne
I Tested by @jTizYl
J Tested by Julie Hietschold
K Password reset invalidates old cookie
L Tested by Hector Acencio
M Tested by @NDRoughneck
N Tested by @splint3rz
O Tested by @vaha

ASP.NET and Cookie Re-Use

I got this message from Richard Turnbull after my Defcon 21 talk with Matthew Prince:
"Re: the ineffective logout mechanisms you were talking about...ASP.NET's forms authentication function exhibits the behaviour you were describing (i.e. only invalidating the cookie on the client side at logout). This is definitely a bad idea (which is of course the point you were making) but I guess it is part of the reason why so many sites have this issue (in particular I remember seeing Office365 and another Microsoft site on your list - they may well be using ASP.NET).

We often report this issue when doing web application assessments for our clients, but without any real expectation that they'll do anything about it (because they'd either have to stop using ASP.NET forms auth or somehow persuade Microsoft to fix it!)"

From: Richard Turnbull, Principal Security Consultant, NCC Group

Step-by-Step instructions

1. Log in to Office 365 (or the other site you are testing)

Your name appears in the upper right corner, as shown below, and your emails are visible.

2. Save the URL

The URL of this page is different from the URL of the login page.

Add this page to your Favorites, or make some other record of its URL.

3. Export Cookies

Click the cookie icon, and click "Export cookies". A message pops up saying "Cookies copied to clipboard" as shown below:

4. Log Out

You now see the login screen, and your emails are no longer visible.

5. Return to the URL

Click the Favorite you made in step 2. As expected, that page does not show your emails anymore--it just redirects back to the login page.

6. Import Cookies

Click the cookie icon, and click "Import cookies".

A box appears saying "Paste here the cookies to import". Paste the cookies there, as shown below (I redacted the image, since anyone with this data can apparently get into my Office 365 account.)

Then click the "Submit cookie changes" button.

7. Return to the URL Again

Click the Favorite you made. If the site is vulnerable, you'll see your personalized page, as shown below.

If the site is not vulnerable, you will see a logon page.

Media Coverage

This issue has been published by @privacyfanatic in Network World!


Posted 12:23 pm 7-15-13 by Sam Bowne
Yahoo and Gmail test added 1:36 PM
More services added 6:24 pm 7-15-13
Reformatted 6:35 pm
More sites added 9:50 pm
iCloud and NetFlix added 11:26 am 7-16-13, Dropbox, Box, GitHub, and Cloudflare 2:33 pm 7-16-13
Edit 3:05 PM
Password reset for Office 365 tested 3:28 pm 7-16-13
Copying to another machine tested 3:41 pm 7-16-13
Added Insight, Waze 4:04 pm 7-16-13
Format changed 6:13 pm 7-16-13
Passsword managers added 10:40 am 7-17-13 added 11:10 am 7-17-13
Added many news sites 8:18 am 7-19-13
Discover added 4 pm 7-21-13
IBM, Reddit, Adobe, and Flickr added 1:50 pm 7-22-13
Reformatted 6:05 pm 7-22-13
Videos added with Chase and AmEx vulnerabilities 0:00 am 7-23-13
AmEx's ten-minute logout added 11:57 am 7-23-13
Chase's ten-minute logout added 2:06 pm 7-23-13
NameCheap and @askRegions Bank added 2:35 pm 7-23-13
Adobe moved from Bad to Good 11:36 am 7-24-13
Soundcloud added 12:14 pm 7-25-13
YouTube, Chrome, and TDbank added 12:47 pm 7-25-13
WHMCS added 2:09 pm 7-25-13
Packet Storm added 6:30 pm 7-25-13
Cloudflare moved to GOOD 7:23 pm 7-25-13
Duplicate of Vimeo removed 8:02 PM 7-25-13
Reformatted, 12 hr. test notes added 8:40 am 7-26-13
Note from Richard Turnbull added; "Topics" section added 11:36 am 8-3-13
Updated 1:12 pm 8-7-13 with L and M info
Updated 1:33 pm 8-8-13 with N info
Updated 11:42 am 8-13-13 with O info