HTTPS Cookie Hijacking Not Just For Gmail

← Back to Stories (view on slashdot.org)

HTTPS Cookie Hijacking Not Just For Gmail

Posted by timothy on Tuesday September 9, 2008 @04:24AM from the cookie-monster-demands-satisfaction dept.

mikepery writes with a followup to last month's mention of a security vulnerability affecting Gmail accounts, which it seems understated the problem. "I figure the Slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put 'CookieMonster' in the subject, without a space." (More below.) "I'd also like to encourage security professionals and consultants to request a copy of the tool for use in encouraging their clients to adopt SSL properly for their websites. There's no possible way for me to reach every site, but if convincing demonstrations can be given of the vulnerability on an individual basis, perhaps that will drive the issue home much more than the press alone has done. Heck, the tool might even land you a few new clients."

7 of 128 comments (clear)

Min score:

Reason:

Sort:

new security vulnerability by Anonymous Coward · 2008-09-09 04:28 · Score: 2, Funny

Posting an e-mail address on /.
1. Re:new security vulnerability by gad_zuki! · 2008-09-09 07:36 · Score: 4, Funny
  
  cmvia is command modulated voice interface application. In other words you roll down your window and yell 'MIKE PERRY I NEED THAT FILE.' Eventually a carrier pigeon delivers it to you.
2. Re:new security vulnerability by Heembo · 2008-09-09 10:51 · Score: 2, Funny
  
  He was just trying to use basic Darwinism to filter out idiots. But some defender of white moths told them to fly away and take cover cause da smoke was a comin! Dam u!
  
  --
  Horns are really just a broken halo.
Re:yeah... by $RANDOMLUSER · 2008-09-09 04:51 · Score: 2, Funny

Yep. The Very Best(tm) security is an air gap.
But it kinda limits your possibilities.

--
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
Re:please tag itsatrap by Joe+U · 2008-09-09 04:59 · Score: 3, Funny

Please install this tool on all servers and workstations as admin for maximum benifit.
Re:Easy to find out... by morgan_greywolf · 2008-09-09 05:16 · Score: 2, Funny

if this is true (and I am able to follow directions correctly) then Bank of America has some explaining to do.
Here, why don't you give me your current IP address real quick and I'll take a look it to make sure you're doing everything correctly. ;)

--
My blog
Re:yeah... by LiENUS · 2008-09-09 06:09 · Score: 3, Funny

Walk into any US Intel / Base Ops / Command Post in the world, and you'll find CNN on a big flat-screen up on the wall.
I tried this, now i'm in gitmo.