HTTPS Cookie Hijacking Not Just For Gmail 128
mikepery writes with a followup to last month's mention of a security vulnerability affecting Gmail accounts, which it seems understated the problem.
"I figure the Slashdot readership is the best place to reach a large number of
slacking admins and developers, so I want to announce that it's been 30 days
since my DEFCON presentation on HTTPS
cookie hijacking, and as such, it's now time to release the tool to a much
wider group. Despite what was initially
reported, neither the attack nor the tool
are gmail-specific, and many
other websites are vulnerable. So, if you maintain any sort of reasonable
looking website secured by
any SSL certificate (Sorry Rupert, you lose on both counts), even if it is just self-signed, you can contact me and I will provide you with a copy of the tool. Be sure to put 'CookieMonster' in the subject, without a space." (More below.)
"I'd also like to encourage security professionals and consultants to request a
copy of the tool for use in encouraging their clients to adopt
SSL properly for their websites. There's no possible way for me to reach
every site, but if convincing demonstrations can be given of the vulnerability
on an individual basis, perhaps that will drive the issue home much more than
the press alone has done. Heck, the tool might even land you a few new
clients."
new security vulnerability (Score:2, Funny)
Posting an e-mail address on /.
Comment removed (Score:3, Interesting)
Re:new security vulnerability (Score:2, Interesting)
i'm thinking cm is "contact me", so contact me via the fscked organisation
Re:new security vulnerability (Score:2)
i'm thinking cm is "contact me", so contact me via the fscked organisation
Er, cm == 'Cookie Monster', I think.
He's likely using a hyphenated address which allows for filtering using scripted mail tools.
Re:new security vulnerability (Score:2)
Re:new security vulnerability (Score:1)
Re:new security vulnerability (Score:1)
Are you that ignorant that you can't figure out his email.
via = @
thefsckedorganization = fscked.org
He is using mikeperry-cm@ because he's called his tool Cookie Monster.
I swear, some people need an IQ test before they should be allowed to post!!
Re:new security vulnerability (Score:1, Informative)
Because then every worm that looks for username@domain.cc would find it. Congrats on defeating the purpose by posting it, though.
Re:new security vulnerability (Score:1, Insightful)
Re:new security vulnerability (Score:3, Funny)
He was just trying to use basic Darwinism to filter out idiots. But some defender of white moths told them to fly away and take cover cause da smoke was a comin! Dam u!
Re:new security vulnerability (Score:5, Funny)
cmvia is command modulated voice interface application. In other words you roll down your window and yell 'MIKE PERRY I NEED THAT FILE.' Eventually a carrier pigeon delivers it to you.
yeah... (Score:2)
Re:yeah... (Score:3, Funny)
But it kinda limits your possibilities.
Re:yeah... (Score:5, Informative)
Re:yeah... (Score:0)
Are you sure you are on the SIPR?
Re:yeah... (Score:3, Insightful)
Re:yeah... (Score:2)
Re:yeah... (Score:2)
"air gapping" (Score:2)
Re:yeah... (Score:1)
I like that when you click on the Privacy notice on the DoD Network Information Site (http://www.nic.mil/), you get a 404 page:
http://www.disa.mil/info/secpriv.html [disa.mil]
Ah, the irony of it... I guess there is not a single privacy statement that would protect anybody from just clicking through publicly available pages?
Re:yeah... (Score:0)
Let me guess, the other channels are weather channel, FoxNews, and some lame training station.
Re:yeah... (Score:3, Insightful)
Walk into any US Intel / Base Ops / Command Post in the world, and you'll find CNN on a big flat-screen up on the wall.
Re:yeah... (Score:3, Funny)
Walk into any US Intel / Base Ops / Command Post in the world, and you'll find CNN on a big flat-screen up on the wall.
I tried this, now i'm in gitmo.
Re:yeah... (Score:1)
Re:yeah... (Score:2)
Yep, it's a good idea to monitor the broadcasts of the opposition.
CNN -- the news network that carries The Daily Show on it's international feed.
Re:Someone Skipped Their OPSEC Rebrief (Score:2)
Yeah I'm the first person to ever say "I'm in the military and we have this thing called SIPR and here's a public link to the wiki."
And I'm probably also the first say "We can convert sat feeds to digital signal. DONT TELL THE COMMIES!"
Re:yeah... (Score:2, Interesting)
Re:yeah... (Score:3, Informative)
Comment removed (Score:2)
Re:yeah... (Score:1)
Re:yeah... (Score:0)
Re:yeah... (Score:1)
Easy to find out... (Score:5, Informative)
If you want to manually examine a site you visit:
Clear all cookies.
Log in.
Clear all cookies marked as "SECURE" (in firefox, preferences->privacy->show cookies. Delete JUST the cookies marked as "Encrypted connections only").
Go back to the site. Can you act as if you are logged in? If so, the site is COMPLETELY insecure.
Comment removed (Score:5, Informative)
Re:Easy to find out... (Score:5, Informative)
Re:Easy to find out... (Score:3, Interesting)
I can get you there.
My ISP assigns me a new IP every few minutes even if I'm in the middle of a download. Makes using rapidshare impossible.
And yes, there's always the jackass developer who thinks he's smart locking sessions to an IP which for me just means either being logged out again and again or it locking up till the link to the old IP has expired.
Yes I know it's the ISP but they're the only game in town and I'm not going back to 56K
Re:Easy to find out... (Score:0)
Which ISP is this? Gotta know so that I know to avoid them in future...
Re:Easy to find out... (Score:1)
Telkom South Africa do exactly this. I should know, I spent about three hours last week debugging a PHP application that would not accept the cookie if it came from a different IP address. I found that successive requests from one machine were appearing at the server to originate from two different IPs. No idea how/why this happens - no proxy was set in the OS or browser of the client.
Not that you wouldn't want to avoid Telkom in the first place... but then, if we could avoid them we wouldn't be using them in the first place!
Re:Easy to find out... (Score:2)
No idea how/why this happens - no proxy was set in the OS or browser of the client.
A router can be configured to transparently redirect all traffic destined for port 80 (with any destination IP) into a proxy server; it's called a "transparent proxy" because your browser doesn't know it's happening. Here's more information and how to set it up on Linux [tldp.org].
Re:Easy to find out... (Score:1)
*cough* AOL *cough*
Re:Easy to find out... (Score:2)
BT ireland,
I've sat and watched my IP change while I had active connections.
I can have an SSH session open to a remote server and suddenly it stops responding and I have to open a new one. fucking annoying.
Re:Easy to find out... (Score:0)
My ISP assigns me a new IP every few minutes even if I'm in the middle of a download. Makes using rapidshare impossible.
How *do* you download anything if you get a new IP every few minutes?
Are you able to VPN into work for more than a few minutes at a time?
Re:Easy to find out... (Score:2)
some download managers deal with the switch ok. Unfortunatly some servers do not.
Re:Easy to find out... (Score:1)
Re:Easy to find out... (Score:2)
Only available with the buisness package(or so I was told when I called them) which is much more expensive.
Comment removed (Score:3, Interesting)
Re:Easy to find out... (Score:2)
Re:Easy to find out... (Score:2)
All of my cookies are for "Any type of connection" including my bank.
Re:Easy to find out... (Score:5, Interesting)
Re:Easy to find out... (Score:5, Insightful)
I think the explanation is quite simple. "We don't know what we're doing."
Re:Easy to find out... (Score:1)
Bank of America has some explaining to do.
They would boast about their SiteKey© or some such thing. I doubt much would change without a greater segment of the customer base demanding it.
Re:Easy to find out... (Score:2, Funny)
if this is true (and I am able to follow directions correctly) then Bank of America has some explaining to do.
Here, why don't you give me your current IP address real quick and I'll take a look it to make sure you're doing everything correctly. ;)
Re:Pay attention (Score:0)
You need to check *all* their domains. For me nothing at bankofamerica.com is secure, but onlineeast1.bankofamerica.com has at least two secure cookies and they go away when you log out.
Re:Easy to find out... (Score:2)
Bank of America has had some explaining to do for many years now, and I ain't talkin' 'bout no websites, neither.
Re:Easy to find out... (Score:0)
Re:Easy to find out... (Score:4, Interesting)
I did this with our own web-based product and found out that yes, indeed, we are insecure. It took a few minutes of poking around to find out how to secure our site.
So, for everybody else: if you are using PHP, you need to pay attention to Set_Cookie_Params() [php.net]. Here's the 1-liner call that we make in order to solve this problem for us, before any calls to session_register():
Session_Set_Cookie_Params(720, '/', $_SERVER['SERVER_NAME'], true);
Parameters:
1) 720: Our sessions timeout after 2 hours.
2) '/': the cookie applies to all paths within our site.
3) $_SERVER['SERVER_NAME']: applies only to the specific domain name originally called. (we use subdomains, so this is important)
4) true: (the most important one), this means that the cookies can only be used over SSL.
Re:Easy to find out... (Score:2)
You could do the same thing using a .htaccess file (assuming you are running Apache).
php_flag session.cookie_secure on
This way ensures that it is set before any PHP script runs, regardless of what scripts are used.
Comment removed (Score:2)
Re:Easy to find out... (Score:1)
Re:Easy to find out... (Score:1)
And even moreso... (Score:2)
CookieMonster is an active tool.
It will take any OTHER connection the user makes on a wireless link, redirect THAT to point to http://yoursite.com/ [yoursite.com] answer that request with a SYN, and now the browser spits out the cookie.
You are in grave danger.. (Score:0)
...so give me your emailaddress.
WTF?!? (Score:5, Insightful)
If you are going to release a tool, just fucking do it. Give is a link and be done with it.
please tag itsatrap (Score:5, Interesting)
Why don't YOU just e-mail the guy and be done with it?!
Perhaps it's... A TRAP!
Re:please tag itsatrap (Score:3, Funny)
Please install this tool on all servers and workstations as admin for maximum benifit.
Re:WTF?!? (Score:0)
Guaranteed that this will be posted to a torrent site, Usenet, or RapidShit by the end of the day.
Re:WTF?!? (Score:2)
So ask someone who went to DEFCON for a copy.
Re:WTF?!? (Score:0)
This tool should be posted publicly so that this "threat" can also be studied by people who don't know anyone who went to defcon or who don't want to waste their friends valuable time on what is probably an exagerated threat (I've always assumed my cookies were transferrable).
Re:WTF?!? (Score:1)
Djagno and Secure Cookies (Score:5, Informative)
Re:Djagno and Secure Cookies (Score:0)
Why, just why, would the default for 'secure cookies' ever be set to false?!
I just don't understand...
Re:Djagno and Secure Cookies (Score:2)
Because most sites don't use SSL to begin with. That said, they should at least include the line in the settings.py file, with a comment to set it to True if you use SSL.
Re:Djagno and Secure Cookies (Score:2)
So... I suppose I've been mis-using SSL all along, but, I secure the login with ssl, after that, the information inside my sites isn't particularly sensitive in any way, I just protect the username/password on the wire for all those people that have 1 username and 1 password for everything...
I assume to protect against this vuln every page behind the login has to be 100% SSL secured so that you can keep sending the sessionid cookie? If so, that means I get to buy twice as many servers for my 2 little web apps (that already have 5 servers dedicated to them) to support all that SSL traffic? It's not like I'm making much money off these things, maybe 3-400 in ads a month. Am I understanding correctly?
Re:Djagno and Secure Cookies (Score:1)
I assume to protect against this vuln every page behind the login has to be 100% SSL secured so that you can keep sending the sessionid cookie? If so, that means I get to buy twice as many servers for my 2 little web apps (that already have 5 servers dedicated to them) to support all that SSL traffic?
I doubt it. Try turning on secure cookies and only having an SSL-enabled login page. Your webserver should be able to accept the secure cookies over SSL and insecure data over HTTP.
5 servers for 2 apps is a lot. Have you tried a more distributed scheme with 2 servers for the HTML, 2 for the database, and a dedicated SSL proxy? It's a bit of a pain to set up, but you may get better performance with a dedicated SSL machine than the "Renaissance server" tactic.
Re:Djagno and Secure Cookies (Score:2)
I have 3 web and 2 db... I guess I could pull one of those web and dedicate it to ssl...
Anyway, I'll give it a go and see what happens.
fscked (Score:1)
Secure by permissioning or secure by encryption? (Score:2)
Ways to fix this:
File Permissions: When the web server asks to write cookie, browser uses file permissions to create a group for that site, and allows only members of that group to read or write to that cookie. Either use the disk filesystem's permissioning, or reimplement a permissioning system within the browser profile, to be used only for cookies.
File Encryption: Using a public key encryption method, the content of cookie file is encrypted using the web site's private encryption key, and can only be decrypted by the web server.
Perhaps a combination of both approaches would yield the most secure cookie system.
Re:Secure by permissioning or secure by encryption (Score:3, Informative)
File Permissions: When the web server asks to write cookie, browser uses file permissions to create a group for that site, and allows only members of that group to read or write to that cookie. Either use the disk filesystem's permissioning, or reimplement a permissioning system within the browser profile, to be used only for cookies.
Requires giving the browser root access to the system (though you can mitigate this by running a jail or sandbox).
File Encryption: Using a public key encryption method, the content of cookie file is encrypted using the web site's private encryption key, and can only be decrypted by the web server.
I thought that's what SSL cookies do in the first place?
Re:Secure by permissioning or secure by encryption (Score:2)
File Permissions: When the web server asks to write cookie, browser uses file permissions to create a group for that site, and allows only members of that group to read or write to that cookie. Either use the disk filesystem's permissioning, or reimplement a permissioning system within the browser profile, to be used only for cookies.
Requires giving the browser root access to the system (though you can mitigate this by running a jail or sandbox).
Good point, kindof why I suggested re-implementing permissioning at a higher level of abstraction than the filesystem.
I thought that's what SSL cookies do in the first place?
Right, but I'm saying they should do encrypted cookies across the board, whether the site is SSL or not.
Re:Secure by permissioning or secure by encryption (Score:1)
Wait wait... what?
Encrypt the cookie data with the site's private key? ... So that holders of the site's public key can decrypt the contents of the cookie? Which would be everyone?
But maybe you meant encrypt the cookie data with the site's public key, so that only the site can decrypt it. That would make more sense. But, still, that doesn't work.
See, you'll be sending something over HTTP to the site in question. Let's say it's a secret message that only the site can decrypt, per your proposal. That does not prevent anyone else from sending the same secret message. I don't have to be able to decrypt the secret cookie to snoop, copy, then send the secret cookie.
One's next inclination may be to find a way to make sure that others can't send the same secret cookie. Perhaps some kind of authentication. I think things start to get a little complex this way. Why not just have the site serve the cookie with "Secure;" in the string?
How do you secure a site? (Score:4, Interesting)
There were a lot of 'email me's and talk about bad htps settings but not much content on really what needs to be done for fixing an existing site or properly setting up a new site to be secure.
Re:How do you secure a site? (Score:4, Informative)
There were a lot of 'email me's and talk about bad htps settings but not much content on really what needs to be done for fixing an existing site or properly setting up a new site to be secure.
Executive summary:
It is possible to set a single bit in a cookie sent to the browser which means "Only send this cookie over secured connections".
Many websites (including some important ones like online banking) don't set this bit for the cookie(s) used for session tracking. Hence, it is possible for an attacker to get the cookie with an invisible proxy that injects HTML which forces the browser to fetch something from the server which set up the cookie.
eg. I set up an invisible proxy on my wireless network which injects into every page and logs the cookie your browser sends when it attempts to connect to mail.google.com for the image.
I can now plug this cookie into Firefox and read your email.
Solution: if your website sets any cookies over an HTTPS connection, such cookies must set the bit meaning "Only send over secure connections". How one goes about doing this will depend on whether you're generating cookies yourself or using an existing framework.
Webmail is broken (Score:2)
Let's make this simple. Don't use webmail. Don't use Yahoo.com, Gmail.com, Hotmail.com, squirrelmail, etc. There are SO many vulnerable access points between the web application and your email that it is almost impossible to secure the entire stack.
The use of Ajax alone (like most major webmail vendors) increases your vulnerability by huge amounts. SOP (same origin policy) is broken. A combination of a reflected XSS attack (which are everywhere http://blogs.zdnet.com/Google/?p=451 [zdnet.com] ) and a stored XSS attack can completely compromise your session.
Forgetting about XSS, there's still CSRF, injections, RFI, information leakage, broken authentication/session management, insecure url access, etc.
So seriously - unless you trust that your email server has secured every possible hole in every possible layer of their stack, stick to TLS/SSL encrypted imap/pop3/smtp. Now, I'm not saying these are perfect, but email protocols are just simpler. There will always be fewer places to attack and thus the chances of your email being compromised are just smaller.
Re:Webmail is broken (Score:2)
Your solution only works if
webmail+storage at google
is more secure than
smtp/pop over tls + storage at a typical user's HD which I'm pretty sure is a bad assumption.
Re:Webmail is broken (Score:2)
Oh - I'm not speaking to the typical user. The typical user probably has a keylogger or trojan that makes this all void. I'm speaking to those who are security literate and want to choose both the simplest and most secure solution.
Personally, I use GPG and have an encrypted hard drive and I feel far more comfortable using IMAP over TLS after compromising Gmail with an XSS exploit.
Google Cache (Score:2)
All I want for Christmas is a website that
Yodlee MoneyCenter (Score:1)
Are any sites NOT vulnerable? (Score:1)
Using the method outlined in the post, I can't find any sites that I have cookies for that aren't vulnerable.
Re:Are any sites NOT vulnerable? (Score:2)
If I understand the problem correctly, it seems a simple workaround is to delete all cookies related to a vulnerable site as soon as you've finished, that would soon stop my browser sending them to nefarious sorts with invisible proxies.
Firefox should complain (Score:2)
Firefox should complain loudly when such cookies are being sent:
"Server error: server has sent cookies unsafely. You can add an exception, by clicking below, but until the web site operator fixes the site, you should consider your session not secure."
Security measures not used (Score:2)
You know, that "encrypted sessions only" bit wasn't put in there just for fun. It's bad enough we have any number of things broken by design, we could at least use the security which actually _was_ designed into the system.
The issue described (Score:5, Informative)
1. Look at DNS requests or do a IP-domain reverse lookup to know what websites the target is visiting over HTTPS. Automated tool can do this over time.
2. On next regular HTTP request by your target, be a man-in-the-middle and inject an image pointing to desired HTTPS site, except don't use HTTPS - just HTTP.
3. Browser will dutifully send the cookie along with the image request over plain HTTP (after all, the domain names match), even though the cookie was created and managed only via HTTPS by the original website.
4. Now your automated sniffer just picked up the supposedly "secure" cookie for the HTTPS site, even though you never even attempted to hack the HTTPS conversation. If the site stores your username/password, a session id, etc this could expose sensitive information.
5. Protect your applications by setting the encrypted session only flag on the cookie so the browser won't send it with plain HTTP requests. If you have HTTP and HTTPS areas of the site, keep separate cookies for both areas and make sure sensitive info is only stored in the HTTPS-only cookie.
Re:The issue described (Score:1)
Thanks for your clarification.
This is basically what I gathered from reading the author's description, but it was so poorly written that it left me wondering.
Re:The issue described (Score:2)
While this is disconcerting, it's not like step 2 (being a man in the middle) is easy for an attacker. If they can play that game, you have many things to worry about, which I think is a pretty simple explanation for why people aren't totally panicking over this.
Re:The issue described (Score:2)
Good explanation, but I find it's better to just skip the cookies entirely and stick to cupcakes.
-
Thanks for the panic attack (Score:2)
OK, when did it become funny to put the contents of my cookie in TFA?
Oh, and I am not responsible for the CSS on the sites I develop for my employer. Don't blame me for the dark blue text on a medium blue background.
Just release it in the conventional way already... (Score:2)
(For those who might be tempted to say Defcon, it was not ready).
It's out there, enough with the needless delays and just get a mirror/link out there.
Client-side Mitigation (Score:2)
Whenever a cookie is set over a secured HTTPS connection, NoScript forcibly flags it as "Secure" even if the server didn't. Therefore the browser won't leak it anymore over insecure connections.
Obviously this feature works always as long as it's turned on, independently from JavaScript/Java/Flash/Plugins permissions.
Hi I'm a proffesional lock-picker (Score:2)
If you are leaving your home for a few days and have trouble locking your home, let me know the address and I'll send you a lock!
Asp.net workaround (Score:1)
The server still accepts http requests to display a "site can only be viewed over https"
This C# code added to global.asax will secure all cookies on a
protected void Application_EndRequest(Object sender, EventArgs e)
{
if (Request.Url.Host != "localhost" && Response.Cookies.Count > 0)
{
foreach (string s in Response.Cookies.AllKeys)
{
Response.Cookies[s].Secure = true;
}
}
}