Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, September 11, 2008

CookieMonster Can Steal HTTPS Cookies

The Python-based tool actively gathers insecure SSL information and records that as well as normal HTTP cookies to Firefox-compatible cookie files.  A so-called CookieMonster attack is coming, and if you use Web-based services that involve login credentials, such as Web e-mail or online banking, you may want to turn your fear and paranoia dial to 11, one researcher warns.  “CookieMonster is a Python-based tool that actively gathers insecure HTTPS cookies, and records these as well as normal http cookies to Firefox compatible cookie files,” explains Mike Perry, the security researcher who created the software, in a documentation file.

Sadly, it turns out that many Web sites do not properly set the “Encrypted Sessions Only” property of their cookies.

Because HTTPS cookies are full of tasty authentication information, they can be used to access online banking accounts, Webmail accounts, and the like.

Perry proposes the following test to see whether sites you use are vulnerable: “To check your sites under Firefox, go to the Privacy tab in the Preferences window, and click on ‘Show Cookies.’  For a given site, inspect the individual cookies for the top level name of the site, and any subdomain names, and if any have ‘Send For: Encrypted connections only,’ delete them.

Having tried these steps with two “Encrypted connections only” Google (NSDQ: GOOG) cookies, Google appears to be vulnerable to a CookieMonster attack.  A Google spokesperson confirmed this to be the case and said the company’s engineers are working with Perry to eliminate the vulnerability.

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml;jsessionid=2P0R3N2D1VQU4QSNDLPCKH0CJUNN2JVN?articleID=210601197

Posted on 09/11
WarningsPermalink