Skip to main content

CookieMonster Loves HTTPS Cookies

(Credit: www.gegen-den-strich.com)

A small oversight in the way secure cookies are being configured by some major websites, such as Gmail, Facebook, Yahoo Mail, Hotmail, many on-line retailers and even some on-line banks, is allowing a new hacking tool on the web called CookieMonster to hijack user’s accounts. The program relies on several commonly used hacking techniques to seamlessly steal a user’s improperly handled HTTPS cookies.

For over a year Mike Perry, creator of CookieMonster, has been aware of an exploitable fault in the way many popular websites handle their user’s HTTPS cookies, a supposedly secure authentication feature that allows a user to login to a website and remain logged in for later revisits. When announcing his findings of the exploit in 2007 to BugTraq, Defcon, and even to Google, his warnings of the exploit went largely unheard and unheeded. Apparently fixing a bug is of little concern if it is not posing any immediate issues, so Mike Perry knew what he had to do next.

At the 2008 Defcon, a popular hackers convention, Mike Perry announced a working tool called CookieMonster that clearly demonstrates the power of the exploit. He warned in the coming weeks he would soon release the software to the public, allowing just enough time for web developers to correct the issue first. Google, Microsoft and Twitter were relatively quick to announce they were working on a fix, although many websites are still currently vulnerable, including some on-line banks. At the moment, it is said CookieMonster has only been released to a limited group of security experts for security testing purposes, with a public release to come soon. At this point however, CookieMonster’s core code has been been fully disclosed and explained, making it only a matter of time before script-kiddies get their hands on working versions.

The entire exploit is based around the fact that many sites using SSL only support SSL partially, be it out of an oversight or as a choice to save on costs. The SSL bit in transmitted data is seldom used for example and in the case of a cookie file, this lack of security can result in a loss of personal security.

A scenario of where this can be exploited is when a user connects to a public WiFi hot-spot with their laptop. If a hacker is nearby with their laptop also, they may be able to capture the wireless data being transferred between the user and the Internet and also be able to inject their own extra data into that connection. By injecting the HTML code for an image request for a specific site, such as Gmail, a hacker may trigger the user’s browser to transmit the user’s unprotected cookie files for that site and subsequently allow the hacker to capture those cookies. Once captured and saved, the hacker can use those cookie files to login to the user’s account. CookieMonster automates much of this procedure and is flexible enough to be configured for other related uses.

An often overlooked aspect of this vulnerability is that the user would not even need to have the website being targeted open for this to work, assuming the user previously logged into their account and had not since been signed out. While Gmail may no longer be affected, many on-line banking sites could still be vulnerable, giving more reason to sign out of a site after using it and clearing out a browser’s cookies regularly. While some sites are blamed for not properly using SSL, there are some sites that do not use SSL at all and have been vulnerable to well known attacks of this nature for some time.

A way you can check to see if a site is vulnerable under Firefox is explained by Mike Perry, “go to the Privacy tab in the Preferences window, and click on ’Show Cookies’. For a given site, inspect the individual cookies for the top level name of the site, and any subdomain names, and if any have ’Send For: Encrypted connections only’, delete them. Then try to visit your site again. If it still allows you in, the site is insecure and your session can be stolen. You should report this to the site maintainer.“