Main Area and Open Discussion > Living Room
News Article: Insecure Cookies Leak Sensitive Information
Ehtyar:
Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies without the secure bit set.
Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels.
Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user's browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.
--- End quote ---
Full Story
Ehtyar.
f0dder:
Sounds pretty nasty :/
IMHO a SessionId (or whatever other information stored in cookies) by itself shouldn't be enough to be validated on a site... an active session ought to also track the IP the connection is originating from. Doesn't solve the problem, but it should mitigate the problem.
Ehtyar:
IMHO a SessionId (or whatever other information stored in cookies) by itself shouldn't be enough to be validated on a site... an active session ought to also track the IP the connection is originating from. Doesn't solve the problem, but it should mitigate the problem.
-f0dder (September 14, 2008, 08:17 AM)
--- End quote ---
I've experienced that feature on a few forums I frequent. I think IPB does it by default.
Ehtyar.
mwb1100:
Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies with the secure bit set.
-Ehtyar (September 14, 2008, 04:14 AM)
--- End quote ---
That should read "takes advantage of cookies without the secure bit set".
The exploit works by poisoning or otherwise spoofing DNS somehow (the article doesn't mention how CookieMonster does this, and I'm not sure how easy it is to do) and placing images on webpage that claim to come from the target website, but without HTTPS/SSL. If the secure bit is not set on the authentication cookie, the browser will send it along in cleartext so the attacker gets the cookie. If the secure bit is set on the authentication cookie, the browser will not send it to the attacker.
Ehtyar:
Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies with the secure bit set.
-Ehtyar (September 14, 2008, 04:14 AM)
--- End quote ---
That should read "takes advantage of cookies without the secure bit set".
-mwb1100 (September 14, 2008, 02:21 PM)
--- End quote ---
Thank you.
The exploit works by poisoning or otherwise spoofing DNS somehow (the article doesn't mention how CookieMonster does this, and I'm not sure how easy it is to do) and placing images on webpage that claim to come from the target website, but without HTTPS/SSL. If the secure bit is not set on the authentication cookie, the browser will send it along in cleartext so the attacker gets the cookie. If the secure bit is set on the authentication cookie, the browser will not send it to the attacker.
-mwb1100 (September 14, 2008, 02:21 PM)
--- End quote ---
The Kaminski flaw is fast falling from the public spotlight, though whether it should be remains to be seen. I imagine exploits taking advantage of it will be popping up for some time.
Ehtyar.
Navigation
[0] Message Index
[#] Next page
Go to full version