My Website was hacked using Statcounter! Does Statcounter keep a record of cookies?

Question

I had a rather interesting case of hacking on my ASP.Net MVC website. For this website I had implemented a rather uncomplicated authentication system for my admin area -- an encrypted cookie which had an identifying signature for the member. Whenever the admin visits the website the cookie would be decrypted and signature verified. If matching he wouldn't have to sign in.

Couple of days ago a visitor on my site told me that he was able to sign into my website simply by clicking no a referral link on his Statcounter console which pointed to my admin area (I had visited his site from a link inside my admin view).

He just clicked on a link in statcounter and he was signed in as the admin!

The only way this could have happened was if statcounter somehow recorded my cookies and used those when he clicked on the link pointing to my admin!

Is that logical or fathomable?

I don't understand what's going on. Do you have any suggestions as to how I can protect my website against things like this?

Update : I created an IP address whitelisting system to protect my admin from unauthorised access. Basically the server will now compare the IP address of the visitor against a whitelist and only allow access if the ip address is in that list. It also supports wildcards so it will be okay even for dynamic ip addresses.

Although it is not foolproof, but it takes up the security many notches.

Answer 1

I don't know how you did the authentication on your site, but this is how I did it, and I don't thing that anyone could break this one:

var authTicket = new FormsAuthenticationTicket(
          1,
          userName,  //user id
          DateTime.Now,
          DateTime.Now.AddMinutes(20),  // expiry
          createPersistentCookie, 
          null,
          "/");

        var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));

        HttpContext.Current.Response.Cookies.Add(cookie);

this uses FormsAuthentication and it encrypts the cookie using the key from your machine.config

Answer 2

I don't see how that could have happened via StatCounter - even if it exposed the link to your admin area as described, his local machine wouldn't have the authentication cookie. Ask him to send you the link he followed, and try it yourself on a browser you don't normally use, or a different PC. My guess is there's something flawed in your authentication system that means that a link to the admin area automatically works if someone (ie, you) is already logged in elsewhere. Alternatively, the link includes your full credentials and that's not StatCounter's fault.