Twitter, LinkedIn, Yahoo! and Hotmail accounts are open to hijacking thanks to a flaw that allows cookies to be stolen and reused.
According to researcher Rishi Narang, these applications fail to assign new session identities, which allows for a session fixation attack in which the accounts can be hijacked.
An attacker would need to intercept cookies while the user is logged into the service, as the cookies expire on logout - with the exception of LinkedIn, which kept its cookies active for three months, Narang said.
Attackers in possession of the right cookie would have unfettered access to accounts. Password changes would not prevent access.
SC Magazine Australia replayed Narang's proof of concept steps and was able to access various Twitter accounts by inserting the respective alphanumeric auth_token into locally-stored Twitter cookies using the cookie manager browser extension. It is understood Twitter knew of the vulnerability.
Microsoft Outlook, Live services and Yahoo were also affected,
Narang said: "Twitter, Microsoft and Yahoo used HTTPS to help mitigate the risk of the cookies being remotely intercepted, but Narang said that was not enough.
"To me it is a compensatory control, it is not a fix for a session management vulnerability," Narang said.
"There are examples where cookies can be accessible to hijack authenticated sessions, and these cookies are days, sometimes months old. As a result, someone can successfully access accounts that belong to individuals from different global locations."
Director of Sydney-based penetration testing firm HackLabs, Chris Gatford, was surprised such large companies would leave the vulnerability exposed.
"It's web app security 101," Gatford said.
He said other attack techniques would be required in order to swipe the cookies and gain account access from a remote location.
"You could use some sort of cross-site scripting attack if you did not have physical access to the machine".
During penetration tests Gatford found many organisations were exposed to the vulnerability and failed to fix it after becoming aware of the problem. He said a quick fix for some complex frameworks could be to utilise two cookies for the login process.