News Article: Insecure Cookies Leak Sensitive Information

[Ehtyar]

Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies without the secure bit set.

Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels.

Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user's browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

Full Story

Ehtyar.

[f0dder]

Sounds pretty nasty :/

IMHO a SessionId (or whatever other information stored in cookies) by itself shouldn't be enough to be validated on a site... an active session ought to also track the IP the connection is originating from. Doesn't solve the problem, but it should mitigate the problem.

[Ehtyar]

IMHO a SessionId (or whatever other information stored in cookies) by itself shouldn't be enough to be validated on a site... an active session ought to also track the IP the connection is originating from. Doesn't solve the problem, but it should mitigate the problem.

-f0dder (September 14, 2008, 08:17 AM)

I've experienced that feature on a few forums I frequent. I think IPB does it by default.

Ehtyar.

[mwb1100]

Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies with the secure bit set.

-Ehtyar (September 14, 2008, 04:14 AM)

That should read "takes advantage of cookies without the secure bit set". 

The exploit works by poisoning or otherwise spoofing DNS somehow (the article doesn't mention how CookieMonster does this, and I'm not sure how easy it is to do) and placing images on webpage that claim to come from the target website, but without HTTPS/SSL.  If the secure bit is not set on the authentication cookie, the browser will send it along in cleartext so the attacker gets the cookie.  If the secure bit is set on the authentication cookie, the browser will not send it to the attacker.

[Ehtyar]

Secure websites are vulnerable to a new man-in-the-middle attack that takes advantage of cookies with the secure bit set.

-Ehtyar (September 14, 2008, 04:14 AM)

That should read "takes advantage of cookies without the secure bit set". 

-mwb1100 (September 14, 2008, 02:21 PM)

Thank you.

The exploit works by poisoning or otherwise spoofing DNS somehow (the article doesn't mention how CookieMonster does this, and I'm not sure how easy it is to do) and placing images on webpage that claim to come from the target website, but without HTTPS/SSL.  If the secure bit is not set on the authentication cookie, the browser will send it along in cleartext so the attacker gets the cookie.  If the secure bit is set on the authentication cookie, the browser will not send it to the attacker.

-mwb1100 (September 14, 2008, 02:21 PM)

The Kaminski flaw is fast falling from the public spotlight, though whether it should be remains to be seen. I imagine exploits taking advantage of it will be popping up for some time.

Ehtyar.

[mwb1100]

On a somewhat related note (cookie stealing), Coding Horror recently did an article about the fact that cookies should be marked "HttpOnly" to prevent being stolen by JavaScript attacks:

http://www.codinghor...archives/001167.html

I wonder how much stuff would break if browsers changed the protocol to make cookies HttpOnly by default (make websites specifically mark them as "OK for JavaScript") and automatically mark cookies the browser gets via HTTPS/SSL with the 'secure bit'.  Let the website specifically indicate that the cookie is not secure instead of the other way around ('secure by default').

I wonder if this is something that can be added to FireFox via plugin (I know nothing about how low-level plugins can get).  It might be interesting to see if web browsing is still usable.

[Ehtyar]

I wonder if this is something that can be added to FireFox via plugin (I know nothing about how low-level plugins can get).  It might be interesting to see if web browsing is still usable.

-mwb1100 (September 14, 2008, 05:11 PM)

When I read the article myself, I ran a quick search on mozilla and it does not seem there is an extension for this, nor is there one for the secure bit. I would say it's relatively easy, but I suck at overlays so I'm not your man.

Ehtyar.

[Gothi[c]]

And people say I'm paranoid for having cookies disabled by default, and only enabling them on-demand - and after use they are cleared again.

Yes, it's a pain having to type in your password every time you make a forum post etc.- but it's worth it imo. FF extensions like cookiesafe easily let you do this at the click of a mouse.

It's probably also an even better idea to have a separate, sandboxed browser environment to do your online banking on. (Or even use a vm just for the purpose).

[Ehtyar]

I use Cookie Monster myself, though I allow sites i frequent/trust permanently, otherwise a site is temporarily allowed permission if necessary, and denied in all other situations.

Ehtyar.