CookieMonster Loves HTTPS Cookies

Status
Not open for further replies.

Kari

Distinguished
Jun 16, 2004
11
0
18,570
1
so this can only happen if you're using public wifi hot-spots? and I'm guessing unprotected WLAN as well??
 

steveseguin

Distinguished
Aug 18, 2008
46
0
18,580
0
It can actually happen on many levels, with public wifi probably being the most straight forward. Unsecured or WEP-based wifi are straight forward to exploit, with WPA-based wifi being very difficult, but still possible.

Using a VPN connection through a public wifi I would imagine might help prevent safe-guard yourself. Really, just clearing your cookies before using public wifi and not accessing secure sites while connected to it should help, i think.

DSL/Cable connections are also vulnerable, but a special modified modem would be needed in that case.

Also, virtually any man-in-the-middle attack could would work -- so a compromised proxy for example would do it.

 

dariushro

Distinguished
Nov 22, 2007
8
0
18,510
0
Cookies SHOULD be used only for common stuff, like visual preference of a site etc...if a cookie has sensitive information stored, it's only the site developer's fault.
 

michaelahess

Distinguished
Jan 30, 2006
286
0
18,930
0
I've been using a program called ferret to test my clients wifi networks for over a year (make sure and use layer 2 segregation), sounds about the same as this. I can capture gmail and yahoo accounts and login instantly. I don't see how this is news except maybe for the fact that he did it at Defcon which WILL get a response.
 

steveseguin

Distinguished
Aug 18, 2008
46
0
18,580
0
I can capture gmail and yahoo accounts and login instantly. I don't see how this is news except maybe for the fact that he did it at Def
Do they have to be currently using their Gmail/yahoo for you to steal their accounts? In this hack, they never need to even visit the site during their session-- it works actively rather than passively. This could be used to steal banking information from a user on a public wifi, for example, even though the user never the banking site.

if ferret does do this actively as well, that is neat. But the main news as you point out is the fact it is getting a response, when there was none previously.
 
Status
Not open for further replies.
Thread starter Similar threads Forum Replies Date
R Streaming Video & TVs 2
S Streaming Video & TVs 8
JMcEntegart Streaming Video & TVs 29
JMcEntegart Streaming Video & TVs 35
G Streaming Video & TVs 21
G Streaming Video & TVs 17
JMcEntegart Streaming Video & TVs 25
G Streaming Video & TVs 0
Tomsguiderachel Streaming Video & TVs 4
exfileme Streaming Video & TVs 2
exfileme Streaming Video & TVs 11
Marcus Yam Streaming Video & TVs 71
Marcus Yam Streaming Video & TVs 6
dconnors Streaming Video & TVs 18
JMcEntegart Streaming Video & TVs 27
Marcus Yam Streaming Video & TVs 61
Marcus Yam Streaming Video & TVs 23
JMcEntegart Streaming Video & TVs 37
JMcEntegart Streaming Video & TVs 10
G Streaming Video & TVs 21

ASK THE COMMUNITY