CookieMonster Loves HTTPS Cookies
Source: Tom's Guide | Keywords: CookieMonster, HTTPS, Exploit
A small oversight in the way HTTPS cookies are being configured by some major websites is allowing the new CookieMonster tool to actively steal a user’s cookies for many major websites.
A small oversight in the way secure cookies are being configured by some major websites, such as Gmail, Facebook, Yahoo Mail, Hotmail, many on-line retailers and even some on-line banks, is allowing a new hacking tool on the web called CookieMonster to hijack user’s accounts. The program relies on several commonly used hacking techniques to seamlessly steal a user’s improperly handled HTTPS cookies.
For over a year Mike Perry, creator of CookieMonster, has been aware of an exploitable fault in the way many popular websites handle their user’s HTTPS cookies, a supposedly secure authentication feature that allows a user to login to a website and remain logged in for later revisits. When announcing his findings of the exploit in 2007 to BugTraq, Defcon, and even to Google, his warnings of the exploit went largely unheard and unheeded. Apparently fixing a bug is of little concern if it is not posing any immediate issues, so Mike Perry knew what he had to do next.
At the 2008 Defcon, a popular hackers convention, Mike Perry announced a working tool called CookieMonster that clearly demonstrates the power of the exploit. He warned in the coming weeks he would soon release the software to the public, allowing just enough time for web developers to correct the issue first. Google, Microsoft and Twitter were relatively quick to announce they were working on a fix, although many websites are still currently vulnerable, including some on-line banks. At the moment, it is said CookieMonster has only been released to a limited group of security experts for security testing purposes, with a public release to come soon. At this point however, CookieMonster’s core code has been been fully disclosed and explained, making it only a matter of time before script-kiddies get their hands on working versions.
The entire exploit is based around the fact that many sites using SSL only support SSL partially, be it out of an oversight or as a choice to save on costs. The SSL bit in transmitted data is seldom used for example and in the case of a cookie file, this lack of security can result in a loss of personal security.
A scenario of where this can be exploited is when a user connects to a public WiFi hot-spot with their laptop. If a hacker is nearby with their laptop also, they may be able to capture the wireless data being transferred between the user and the Internet and also be able to inject their own extra data into that connection. By injecting the HTML code for an image request for a specific site, such as Gmail, a hacker may trigger the user’s browser to transmit the user’s unprotected cookie files for that site and subsequently allow the hacker to capture those cookies. Once captured and saved, the hacker can use those cookie files to login to the user’s account. CookieMonster automates much of this procedure and is flexible enough to be configured for other related uses.
An often overlooked aspect of this vulnerability is that the user would not even need to have the website being targeted open for this to work, assuming the user previously logged into their account and had not since been signed out. While Gmail may no longer be affected, many on-line banking sites could still be vulnerable, giving more reason to sign out of a site after using it and clearing out a browser’s cookies regularly. While some sites are blamed for not properly using SSL, there are some sites that do not use SSL at all and have been vulnerable to well known attacks of this nature for some time.
A way you can check to see if a site is vulnerable under Firefox is explained by Mike Perry, “go to the Privacy tab in the Preferences window, and click on ’Show Cookies’. For a given site, inspect the individual cookies for the top level name of the site, and any subdomain names, and if any have ’Send For: Encrypted connections only’, delete them. Then try to visit your site again. If it still allows you in, the site is insecure and your session can be stolen. You should report this to the site maintainer.“
-
Previous News Article
Lenovo Cuts Linux From Web Sales -
Next News Article
Panasonic Unveils World's First...
so this can only happen if you're using public wifi hot-spots? and I'm guessing unprotected WLAN as well??
It can actually happen on many levels, with public wifi probably being the most straight forward. Unsecured or WEP-based wifi are straight forward to exploit, with WPA-based wifi being very difficult, but still possible.
Using a VPN connection through a public wifi I would imagine might help prevent safe-guard yourself. Really, just clearing your cookies before using public wifi and not accessing secure sites while connected to it should help, i think.
DSL/Cable connections are also vulnerable, but a special modified modem would be needed in that case.
Also, virtually any man-in-the-middle attack could would work -- so a compromised proxy for example would do it.
Cookies SHOULD be used only for common stuff, like visual preference of a site etc...if a cookie has sensitive information stored, it's only the site developer's fault.
I've been using a program called ferret to test my clients wifi networks for over a year (make sure and use layer 2 segregation), sounds about the same as this. I can capture gmail and yahoo accounts and login instantly. I don't see how this is news except maybe for the fact that he did it at Defcon which WILL get a response.
Do they have to be currently using their Gmail/yahoo for you to steal their accounts? In this hack, they never need to even visit the site during their session-- it works actively rather than passively. This could be used to steal banking information from a user on a public wifi, for example, even though the user never the banking site.
if ferret does do this actively as well, that is neat. But the main news as you point out is the fact it is getting a response, when there was none previously.
The Cookie Monster pic made it worth it.