A security researcher, named Alexander Korznikov, recently wrote quite an intriguing post in his blog. The article draw attention to devices, running on Windows operating systems and had multiple accounts. According to the researcher, command line tools helped him gain access to other users’ accounts. As it turns out, every version of Windows has this controversial feature. However, only a privileged user can use command line in order to invade a session of another user. It does not matter whether the targeted user has higher or lower position control: the hijacking is possible either way.
To make the situation more clear, we should provide an example from Korznikov which he used for the sake of explaining this flaw more clearly. He elaborated that if an employee of a certain facility has access to important databases or servers, the fact that he locks his/her account does not mean that no can access the system. In the example of Korznikov, he selected to describe a bank institution. So, let’s say a bank employee locks a system and leaves. Then, administrator of the system enters and logs into the workstation of the employee with his/her separate user account. If the administrator takes advantage of command line tools, he/she can enter the employee’s account and initiate questionable procedures.
Even though Korznikov was eager to categorize his discovery as a vulnerability, there is much to be discussed before such a conclusion could be drawn. For example, Microsoft identifies that such a feature is not a flaw because only people that already have privileges can exploit it. In addition to that, Microsoft is not convinced that hijacking other user accounts is as easy as Korznikov explains. According to him, people do not even need 5 minutes to hack sessions.
In the report, Korznikov identifies that if this feature in Windows operating systems is successfully exploited, it is possible to review domain admin session, all of unfinished projects and other software that had been launched. Surprisingly, Korznikov created a video, explaining the actual procedure of getting access to another user. As we have mentioned below, it takes very little time to hijack a session.
The biggest concern that Korznikov expresses is that almost anyone can disguise itself as a logged in user. It can be done straight from the computer when different users of a device try to hijack other sessions. However, the biggest problem is that people can try to pursue this goal remotely, from other computers. As it turns out, securing your user account with a complicated password is not enough because sneaky tricks can help others bypass this security measure. For now, we are unsure whether the concept that Alexander Korznikov describes should be identified as an emergency, but it is definitely something to consider.