topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:10 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: News Article: Insecure Cookies Leak Sensitive Information  (Read 9208 times)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
News Article: Insecure Cookies Leak Sensitive Information
« on: September 14, 2008, 04:14 AM »
Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies without the secure bit set.

Screenshot - 14_09_2008 , 7_15_31 PM_thumb.png


Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels.

Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user's browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

Full Story

Ehtyar.
« Last Edit: September 14, 2008, 03:38 PM by Ehtyar »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: News Article: Insecure Cookies Leak Sensitive Information
« Reply #1 on: September 14, 2008, 08:17 AM »
Sounds pretty nasty :/

IMHO a SessionId (or whatever other information stored in cookies) by itself shouldn't be enough to be validated on a site... an active session ought to also track the IP the connection is originating from. Doesn't solve the problem, but it should mitigate the problem.
- carpe noctem

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: News Article: Insecure Cookies Leak Sensitive Information
« Reply #2 on: September 14, 2008, 08:22 AM »
IMHO a SessionId (or whatever other information stored in cookies) by itself shouldn't be enough to be validated on a site... an active session ought to also track the IP the connection is originating from. Doesn't solve the problem, but it should mitigate the problem.
I've experienced that feature on a few forums I frequent. I think IPB does it by default.

Ehtyar.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: News Article: Insecure Cookies Leak Sensitive Information
« Reply #3 on: September 14, 2008, 02:21 PM »
Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies with the secure bit set.

That should read "takes advantage of cookies without the secure bit set". 

The exploit works by poisoning or otherwise spoofing DNS somehow (the article doesn't mention how CookieMonster does this, and I'm not sure how easy it is to do) and placing images on webpage that claim to come from the target website, but without HTTPS/SSL.  If the secure bit is not set on the authentication cookie, the browser will send it along in cleartext so the attacker gets the cookie.  If the secure bit is set on the authentication cookie, the browser will not send it to the attacker.

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: News Article: Insecure Cookies Leak Sensitive Information
« Reply #4 on: September 14, 2008, 03:43 PM »
Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies with the secure bit set.
That should read "takes advantage of cookies without the secure bit set". 
Thank you.
The exploit works by poisoning or otherwise spoofing DNS somehow (the article doesn't mention how CookieMonster does this, and I'm not sure how easy it is to do) and placing images on webpage that claim to come from the target website, but without HTTPS/SSL.  If the secure bit is not set on the authentication cookie, the browser will send it along in cleartext so the attacker gets the cookie.  If the secure bit is set on the authentication cookie, the browser will not send it to the attacker.
The Kaminski flaw is fast falling from the public spotlight, though whether it should be remains to be seen. I imagine exploits taking advantage of it will be popping up for some time.

Ehtyar.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: News Article: Insecure Cookies Leak Sensitive Information
« Reply #5 on: September 14, 2008, 05:11 PM »
On a somewhat related note (cookie stealing), Coding Horror recently did an article about the fact that cookies should be marked "HttpOnly" to prevent being stolen by JavaScript attacks:

http://www.codinghor...archives/001167.html

I wonder how much stuff would break if browsers changed the protocol to make cookies HttpOnly by default (make websites specifically mark them as "OK for JavaScript") and automatically mark cookies the browser gets via HTTPS/SSL with the 'secure bit'.  Let the website specifically indicate that the cookie is not secure instead of the other way around ('secure by default').

I wonder if this is something that can be added to FireFox via plugin (I know nothing about how low-level plugins can get).  It might be interesting to see if web browsing is still usable.

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: News Article: Insecure Cookies Leak Sensitive Information
« Reply #6 on: September 14, 2008, 05:15 PM »
I wonder if this is something that can be added to FireFox via plugin (I know nothing about how low-level plugins can get).  It might be interesting to see if web browsing is still usable.
When I read the article myself, I ran a quick search on mozilla and it does not seem there is an extension for this, nor is there one for the secure bit. I would say it's relatively easy, but I suck at overlays so I'm not your man.

Ehtyar.

Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 873
    • View Profile
    • linkerror
    • Donate to Member
Re: News Article: Insecure Cookies Leak Sensitive Information
« Reply #7 on: September 15, 2008, 05:32 AM »
And people say I'm paranoid for having cookies disabled by default, and only enabling them on-demand - and after use they are cleared again.

Yes, it's a pain having to type in your password every time you make a forum post etc.- but it's worth it imo. FF extensions like cookiesafe easily let you do this at the click of a mouse.

It's probably also an even better idea to have a separate, sandboxed browser environment to do your online banking on. (Or even use a vm just for the purpose).

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: News Article: Insecure Cookies Leak Sensitive Information
« Reply #8 on: September 15, 2008, 07:35 AM »
I use Cookie Monster myself, though I allow sites i frequent/trust permanently, otherwise a site is temporarily allowed permission if necessary, and denied in all other situations.

Ehtyar.