I suspect that people will stop posting these articles once sites start implementing proper security controls.
While you might be very familiar with security, the kids coming out of school and stepping into jobs are not. They haven't heard that cookies can be abused, or even suspect that a person would or could inject Javascript into a program they wrote.
History repeats itself because a new ignorant workforce replaces the older more knowledgable one...I wonder if this cycle occurs more often in the security community.
The simple fact that there are so many sites out there that use cookies to store sensitive data indicates the need for such articles...of which I personal hope there are more!
I agree with the comments on doubleclick. Those are good points...but not really the focus of the article, as I read it.
From what I read, it suggested cookies aren't inherently evil. The problem illustrated by this article was that malcious hackers could alter their own cookies at any time and gain access to another persons restaurant.com account, regardless of whether or not that other person was even online.
You can't prevent this by deleting cookies or turning cookies off. All that would do is prevent a person from ever signing up for an account at restaurant.com (might not be a bad thing). The point was that sites are using cookies improperly and not understanding that anyone can alter them and break authentication/authorization shemes built around storing customer data in a cookie.
Slashdot Mirror
While you might be very familiar with security, the kids coming out of school and stepping into jobs are not. They haven't heard that cookies can be abused, or even suspect that a person would or could inject Javascript into a program they wrote.
History repeats itself because a new ignorant workforce replaces the older more knowledgable one...I wonder if this cycle occurs more often in the security community.
The simple fact that there are so many sites out there that use cookies to store sensitive data indicates the need for such articles...of which I personal hope there are more!
From what I read, it suggested cookies aren't inherently evil. The problem illustrated by this article was that malcious hackers could alter their own cookies at any time and gain access to another persons restaurant.com account, regardless of whether or not that other person was even online.
You can't prevent this by deleting cookies or turning cookies off. All that would do is prevent a person from ever signing up for an account at restaurant.com (might not be a bad thing). The point was that sites are using cookies improperly and not understanding that anyone can alter them and break authentication/authorization shemes built around storing customer data in a cookie.