Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTTPS Cookie Hijacking Not Just For Gmail

Posted by timothy on from the cookie-monster-demands-satisfaction dept.

mikepery writes with a followup to last month's mention of a security vulnerability affecting Gmail accounts, which it seems understated the problem. "I figure the Slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put 'CookieMonster' in the subject, without a space." (More below.) "I'd also like to encourage security professionals and consultants to request a copy of the tool for use in encouraging their clients to adopt SSL properly for their websites. There's no possible way for me to reach every site, but if convincing demonstrations can be given of the vulnerability on an individual basis, perhaps that will drive the issue home much more than the press alone has done. Heck, the tool might even land you a few new clients."

16 of 128 comments (clear)

  1. Easy to find out... by nweaver · · Score: 5, Informative

    If you want to manually examine a site you visit:

    Clear all cookies.

    Log in.

    Clear all cookies marked as "SECURE" (in firefox, preferences->privacy->show cookies. Delete JUST the cookies marked as "Encrypted connections only").

    Go back to the site. Can you act as if you are logged in? If so, the site is COMPLETELY insecure.

    --
    Test your net with Netalyzr
    1. Re:Easy to find out... by pragueexpat · · Score: 5, Interesting

      if this is true (and I am able to follow directions correctly) then Bank of America has some explaining to do.

      --

      "The prohibition will be strongest when the group is nervous." - Paul Graham

    2. Re:Easy to find out... by blueg3 · · Score: 4, Insightful

      I think the explanation is quite simple. "We don't know what we're doing."

    3. Re:Easy to find out... by brunascle · · Score: 4, Informative

      If you're suggesting that the site should be tying the cookie to an ip address, then I have to disagree. I've done just that, and I discovered that it's a very bad idea. Not just because some people have a different ip address from one session to the next, but because some of them have a different ip address from one page to the next. For example, there are some ISPs that send GET requests through one address, and POSTs through another.

    4. Re:Easy to find out... by mcrbids · · Score: 3, Interesting

      I did this with our own web-based product and found out that yes, indeed, we are insecure. It took a few minutes of poking around to find out how to secure our site.

      So, for everybody else: if you are using PHP, you need to pay attention to Set_Cookie_Params() . Here's the 1-liner call that we make in order to solve this problem for us, before any calls to session_register():


      Session_Set_Cookie_Params(720, '/', $_SERVER['SERVER_NAME'], true);

      Parameters:

      1) 720: Our sessions timeout after 2 hours.

      2) '/': the cookie applies to all paths within our site.

      3) $_SERVER['SERVER_NAME']: applies only to the specific domain name originally called. (we use subdomains, so this is important)

      4) true: (the most important one), this means that the cookies can only be used over SSL.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  2. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  3. WTF?!? by Anonymous Coward · · Score: 5, Insightful

    If you are going to release a tool, just fucking do it. Give is a link and be done with it.

  4. please tag itsatrap by sveard · · Score: 4, Interesting

    Why don't YOU just e-mail the guy and be done with it?!

    Perhaps it's... A TRAP!

    1. Re:please tag itsatrap by Joe+U · · Score: 3, Funny

      Please install this tool on all servers and workstations as admin for maximum benifit.

  5. Re:yeah... by n3tcat · · Score: 5, Informative

    In what way? We run a lot of stuff over our SIPR and I haven't really noticed any "limits" to what we've done. Hell, I even watch CNN over SIPR sometimes.

  6. Djagno and Secure Cookies by randomc0de · · Score: 5, Informative

    I run a few Django SSL-secured websites, and I noticed the default is to send insecure cookies for the session id (i.e. hijack-able cookies). I'm going to try to get on someone's case to make this information more widely available, because you have to turn on secure cookies with a "SESSION_COOKIE_SECURE = True" statement, which I never knew until I checked today. Doing this should secure any Django-powered site from this particular attack.

    --
    Three rights make a left. Freedom of speech, freedom of the press, freedom of assembly.
  7. How do you secure a site? by JoeCommodore · · Score: 3, Interesting

    There were a lot of 'email me's and talk about bad htps settings but not much content on really what needs to be done for fixing an existing site or properly setting up a new site to be secure.

    --
    "Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
    1. Re:How do you secure a site? by jimicus · · Score: 3, Informative

      There were a lot of 'email me's and talk about bad htps settings but not much content on really what needs to be done for fixing an existing site or properly setting up a new site to be secure.

      Executive summary:

      It is possible to set a single bit in a cookie sent to the browser which means "Only send this cookie over secured connections".

      Many websites (including some important ones like online banking) don't set this bit for the cookie(s) used for session tracking. Hence, it is possible for an attacker to get the cookie with an invisible proxy that injects HTML which forces the browser to fetch something from the server which set up the cookie.

      eg. I set up an invisible proxy on my wireless network which injects into every page and logs the cookie your browser sends when it attempts to connect to mail.google.com for the image.

      I can now plug this cookie into Firefox and read your email.

      Solution: if your website sets any cookies over an HTTPS connection, such cookies must set the bit meaning "Only send over secure connections". How one goes about doing this will depend on whether you're generating cookies yourself or using an existing framework.

  8. Re:yeah... by LiENUS · · Score: 3, Funny

    Walk into any US Intel / Base Ops / Command Post in the world, and you'll find CNN on a big flat-screen up on the wall.

    I tried this, now i'm in gitmo.

  9. Re:new security vulnerability by gad_zuki! · · Score: 4, Funny

    cmvia is command modulated voice interface application. In other words you roll down your window and yell 'MIKE PERRY I NEED THAT FILE.' Eventually a carrier pigeon delivers it to you.

  10. The issue described by rabtech · · Score: 4, Informative

    1. Look at DNS requests or do a IP-domain reverse lookup to know what websites the target is visiting over HTTPS. Automated tool can do this over time.

    2. On next regular HTTP request by your target, be a man-in-the-middle and inject an image pointing to desired HTTPS site, except don't use HTTPS - just HTTP.

    3. Browser will dutifully send the cookie along with the image request over plain HTTP (after all, the domain names match), even though the cookie was created and managed only via HTTPS by the original website.

    4. Now your automated sniffer just picked up the supposedly "secure" cookie for the HTTPS site, even though you never even attempted to hack the HTTPS conversation. If the site stores your username/password, a session id, etc this could expose sensitive information.

    5. Protect your applications by setting the encrypted session only flag on the cookie so the browser won't send it with plain HTTP requests. If you have HTTP and HTTPS areas of the site, keep separate cookies for both areas and make sure sensitive info is only stored in the HTTPS-only cookie.

    --
    Natural != (nontoxic || beneficial)