CookieMonster Loves HTTPS Cookies

Sidebar Sidebar
Status
Not open for further replies.
Kari

Kari

Distinguished
Jun 16, 2004
11
0
18,570
so this can only happen if you're using public wifi hot-spots? and I'm guessing unprotected WLAN as well??
 
S

steveseguin

Distinguished
Aug 18, 2008
46
0
18,580
It can actually happen on many levels, with public wifi probably being the most straight forward. Unsecured or WEP-based wifi are straight forward to exploit, with WPA-based wifi being very difficult, but still possible.

Using a VPN connection through a public wifi I would imagine might help prevent safe-guard yourself. Really, just clearing your cookies before using public wifi and not accessing secure sites while connected to it should help, i think.

DSL/Cable connections are also vulnerable, but a special modified modem would be needed in that case.

Also, virtually any man-in-the-middle attack could would work -- so a compromised proxy for example would do it.

 
D

dariushro

Distinguished
Nov 22, 2007
8
0
18,510
Cookies SHOULD be used only for common stuff, like visual preference of a site etc...if a cookie has sensitive information stored, it's only the site developer's fault.
 
M

michaelahess

Distinguished
Jan 30, 2006
286
0
18,930
I've been using a program called ferret to test my clients wifi networks for over a year (make sure and use layer 2 segregation), sounds about the same as this. I can capture gmail and yahoo accounts and login instantly. I don't see how this is news except maybe for the fact that he did it at Defcon which WILL get a response.
 
S

steveseguin

Distinguished
Aug 18, 2008
46
0
18,580
I can capture gmail and yahoo accounts and login instantly. I don't see how this is news except maybe for the fact that he did it at Def
Click to expand...
Do they have to be currently using their Gmail/yahoo for you to steal their accounts? In this hack, they never need to even visit the site during their session-- it works actively rather than passively. This could be used to steal banking information from a user on a public wifi, for example, even though the user never the banking site.

if ferret does do this actively as well, that is neat. But the main news as you point out is the fact it is getting a response, when there was none previously.
 
Status
Not open for further replies.

Similar threads

P
SOLVED: MS Edge now allowing cookie screen (pop-up enabled)
Replies
2
Views
2K
Off-Topic / General Discussion
Poncke
P
admin
News All of these Samsung phones are getting Galaxy AI features with major One UI 6.1 update
Replies
0
Views
91
Article Commentary
admin
admin
admin
News Apple’s iOS 18 AI plans starting to take shape — here’s what to expect
Replies
0
Views
268
Article Commentary
admin
admin
admin
News President Biden issues major executive order on AI — what it means for you
Replies
0
Views
224
Article Commentary
admin
admin
admin
News This nasty Android banking trojan can steal your PIN by disabling fingerprint unlock — how to stay safe
Replies
0
Views
302
Article Commentary
admin
admin

TRENDING THREADS

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom