Feeds

CookieMonster nabs user creds from secure sites

Secure in name only

Beginner's guide to SSL certificates

Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels.

Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user's browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

According to Mike Perry, the creator of CookieMonster, websites that appear to be vulnerable to the attack include united.com, bankofamerica.com, register.com, netflix.com, and a host of other big-name online destinations. Errata Security's Rob Graham, who introduced Sidejacking tools a little more than a year ago, says Gmail is not vulnerable as long as a recently implemented https-only option is turned on. But Google Docs, Google's Blogger.com and Google Finance remain wide open.

The vulnerability stems from website developers' failure to designate authentication cookies as secure. That means web browsers are free to send them over the insecure http channel, and that's exactly what CookieMonster causes them to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure (non-https) portions of the protected website, and - voila! - the browser sends the authentication cookie. (For a more detailed explanation of how it works, see this link.)

For now, CookieMonster is in the hands of only about 225 security professionals. In the next couple weeks, he plans to make it generally available. Perry says he hopes the limited release will help spread the word that this vulnerabilty needs to be fixed sooner rather than later.

While Perry has listed some two-dozen sites that are vulnerable, we're betting the list is much, much bigger. To find out if your bank is susceptible, clear all cookies and then log in to the site. Next, clear all cookies marked as "SECURE" (in Firefox, go to preferences > privacy > show cookies. Delete only the cookies marked as "Encrypted connections only"). Then visit the site again. If you're logged in, there's a strong chance the site is wide open.

If you find any, feel free to report it as a comment. ®

Remote control for virtualized desktops

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.