@JayStout I think this “administrator sessions were not linked to the IP / network location” was the actual problem.
The duration of the session was also probably long, since the user had uploaded a HAR file with the session and the hacker was able to use it, which is probably also quite some time.
So even if the employee was not logged in with the private account, this problem was present. The use of the private account is circumstantial, the real cause was the session problem.
Tip for others
At Octa, a number of things are still not optimal as standard. If you use Octa for your business, make an external free scan at https://observatory.mozilla.org/ of your login page, don’t forget to check the “Don’t include my site in the public results” box, in case you don’t want that.
Your login page should have an A+ ranking and preferably score 135 points. That is possible, but if this is not the case for you, please talk to Octa or your implementation consultant.
Also discuss session length and linking sessions to IP addresses.
If you support HTTP/3, you can see if the browser handshake ID (the one from TLSv1.3 that the browser is familiar with on the second visit in a short time) can also be tied to your session, which is stronger than an IP address, only that one client can provide that signature and only for a period determined by the server.
So safer than a session cookie + IP address.
[Reactie gewijzigd door djwice op 5 november 2023 17:25]