Feeds

CookieMonster nabs user creds from secure sites

Secure in name only

Secure remote control for conventional and virtual desktops

Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels.

Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user's browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

According to Mike Perry, the creator of CookieMonster, websites that appear to be vulnerable to the attack include united.com, bankofamerica.com, register.com, netflix.com, and a host of other big-name online destinations. Errata Security's Rob Graham, who introduced Sidejacking tools a little more than a year ago, says Gmail is not vulnerable as long as a recently implemented https-only option is turned on. But Google Docs, Google's Blogger.com and Google Finance remain wide open.

The vulnerability stems from website developers' failure to designate authentication cookies as secure. That means web browsers are free to send them over the insecure http channel, and that's exactly what CookieMonster causes them to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure (non-https) portions of the protected website, and - voila! - the browser sends the authentication cookie. (For a more detailed explanation of how it works, see this link.)

For now, CookieMonster is in the hands of only about 225 security professionals. In the next couple weeks, he plans to make it generally available. Perry says he hopes the limited release will help spread the word that this vulnerabilty needs to be fixed sooner rather than later.

While Perry has listed some two-dozen sites that are vulnerable, we're betting the list is much, much bigger. To find out if your bank is susceptible, clear all cookies and then log in to the site. Next, clear all cookies marked as "SECURE" (in Firefox, go to preferences > privacy > show cookies. Delete only the cookies marked as "Encrypted connections only"). Then visit the site again. If you're logged in, there's a strong chance the site is wide open.

If you find any, feel free to report it as a comment. ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.