NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA Listmaster

NRT-0616 New toolkit steals user credentials from secure sites:


A new tool, dubbed CookieMonster, siphons users' authentication credentials from Web sites used for e‑mail, banking, e‑commerce, and other sensitive applications, even when secure channels are used, according to an online IT journal. The toolkit reportedly is used in a variety of man‑in‑the‑middle scenarios to trick a victim's browser into turning over the authentication cookies used to gain access to user account sections of a Web site. Unlike an attack method known as sidejacking, it works with vulnerable Web sites even when a user's browsing session is encrypted from start to finish using the secure sockets layer protocol.

According to Mike Perry, creator of CookieMonster, Web sites that seem to be vulnerable to attack include 'united.com,' 'bankofamerica.com,' 'register.com,' 'netflix.com,' and a host of other big‑name online destinations.

Errata Security's Rob Graham, who introduced Sidejacking tools a little more than a year ago, says Gmail is not vulnerable as long as a recently implemented https‑only option is tumed on; however, 'Google Docs,' 'Google's Blogger.com,' and 'Google Finance' remain vulnerable.

The vulnerability stems from Web site developers' failure to deSignate authentication cookies as secure, which means browsers are free to send them over the insecure http channel ‑ exactly what CookieMonster causes them to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure (non‑https) portions of the protected Web site, and the browser sends the authentication cookie.

CookieMonster is now in the hands of only about 225 security professionals. In the next couple weeks, however, Perry plans to make it generally available, according to the report. He says he hopes the limited release will help spread the word that this vulnerability needs to be fixed sooner rather than later. Perry listed some two‑dozen vulnerable sites; however, the report suspects the list is "much, much bigger."

The report offers instructions to determine whether a bank's Web site is susceptible to the attack. First, clear all cookies [from the browser] and log in to the bank's site. Clear all cookies marked as "SECURE." In Firefox, go to preferences> privacy> show cookies, and delete only the cookies marked as "Encrypted connections only." Then visit the site again; if the user is indicated as logged in, there is a strong possibility the site is vulnerable.

[www.theregister.co.uk 11Sep08]


Valid XHTML 1.0! Valid CSS! Counter Image
Last Modified: Friday, 10-Oct-2008 12:17:33 EDT