Feeds

CookieMonster nabs user creds from secure sites

Secure in name only

Internet Security Threat Report 2014

Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels.

Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user's browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

According to Mike Perry, the creator of CookieMonster, websites that appear to be vulnerable to the attack include united.com, bankofamerica.com, register.com, netflix.com, and a host of other big-name online destinations. Errata Security's Rob Graham, who introduced Sidejacking tools a little more than a year ago, says Gmail is not vulnerable as long as a recently implemented https-only option is turned on. But Google Docs, Google's Blogger.com and Google Finance remain wide open.

The vulnerability stems from website developers' failure to designate authentication cookies as secure. That means web browsers are free to send them over the insecure http channel, and that's exactly what CookieMonster causes them to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure (non-https) portions of the protected website, and - voila! - the browser sends the authentication cookie. (For a more detailed explanation of how it works, see this link.)

For now, CookieMonster is in the hands of only about 225 security professionals. In the next couple weeks, he plans to make it generally available. Perry says he hopes the limited release will help spread the word that this vulnerabilty needs to be fixed sooner rather than later.

While Perry has listed some two-dozen sites that are vulnerable, we're betting the list is much, much bigger. To find out if your bank is susceptible, clear all cookies and then log in to the site. Next, clear all cookies marked as "SECURE" (in Firefox, go to preferences > privacy > show cookies. Delete only the cookies marked as "Encrypted connections only"). Then visit the site again. If you're logged in, there's a strong chance the site is wide open.

If you find any, feel free to report it as a comment. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.