HTTPS Cookie Hijacking Not Just For Gmail

← Back to Stories (view on slashdot.org)

HTTPS Cookie Hijacking Not Just For Gmail

Posted by timothy on Tuesday September 9, 2008 @04:24AM from the cookie-monster-demands-satisfaction dept.

mikepery writes with a followup to last month's mention of a security vulnerability affecting Gmail accounts, which it seems understated the problem. "I figure the Slashdot readership is the best place to reach a large number of slacking admins and developers, so I want to announce that it's been 30 days since my DEFCON presentation on HTTPS cookie hijacking, and as such, it's now time to release the tool to a much wider group. Despite what was initially reported, neither the attack nor the tool are gmail-specific, and many other websites are vulnerable. So, if you maintain any sort of reasonable looking website secured by any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put 'CookieMonster' in the subject, without a space." (More below.) "I'd also like to encourage security professionals and consultants to request a copy of the tool for use in encouraging their clients to adopt SSL properly for their websites. There's no possible way for me to reach every site, but if convincing demonstrations can be given of the vulnerability on an individual basis, perhaps that will drive the issue home much more than the press alone has done. Heck, the tool might even land you a few new clients."

5 of 128 comments (clear)

Min score:

Reason:

Sort:

Easy to find out... by nweaver · 2008-09-09 04:34 · Score: 5, Informative

If you want to manually examine a site you visit:
Clear all cookies.
Log in.
Clear all cookies marked as "SECURE" (in firefox, preferences->privacy->show cookies. Delete JUST the cookies marked as "Encrypted connections only").
Go back to the site. Can you act as if you are logged in? If so, the site is COMPLETELY insecure.

--
Test your net with Netalyzr
1. Re:Easy to find out... by pragueexpat · 2008-09-09 04:51 · Score: 5, Interesting
  
  if this is true (and I am able to follow directions correctly) then Bank of America has some explaining to do.
  
  --
  "The prohibition will be strongest when the group is nervous." - Paul Graham
WTF?!? by Anonymous Coward · 2008-09-09 04:48 · Score: 5, Insightful

If you are going to release a tool, just fucking do it. Give is a link and be done with it.
Re:yeah... by n3tcat · 2008-09-09 04:54 · Score: 5, Informative

In what way? We run a lot of stuff over our SIPR and I haven't really noticed any "limits" to what we've done. Hell, I even watch CNN over SIPR sometimes.
Djagno and Secure Cookies by randomc0de · 2008-09-09 05:09 · Score: 5, Informative

I run a few Django SSL-secured websites, and I noticed the default is to send insecure cookies for the session id (i.e. hijack-able cookies). I'm going to try to get on someone's case to make this information more widely available, because you have to turn on secure cookies with a "SESSION_COOKIE_SECURE = True" statement, which I never knew until I checked today. Doing this should secure any Django-powered site from this particular attack.

--
Three rights make a left. Freedom of speech, freedom of the press, freedom of assembly.