User:Slupers/my Cookiemonster attack

A cookie that should be only exchanged between a server and a client is sent to another party.

The CookieMonster attack is a man-in-the-middle exploit where a third party can gain HTTPS cookie data when the "Encrypted Sessions Only" property is not properly set. This could allow access to sites with sensitive personal or financial information.^[1]

In other words, an adversary able to position themselves in between you and a website is able to run his/her own code on domains that do not set the 'Encrypted Sessions Only' property of their cookies, and thus cause your web client to transmit the website's cookies as text, intercept them, and impersonate you.^[2]

Implications

A successful CookieMonster attack can result in the loss of a website client's private data. People often enter personal details into forms on the web, and this information is sometimes saved as cookies in the user's browser. Such personal data could include login information, credit card numbers, social security number, etc. Such personal information might be picked up by a server on a domain other than the one where the user willingly provided their information. This information can then be used for identity fraud, bank fraud, and other malicious behavior.^[3]

Methods of attack

This attack can happen via a number of mechanisms, including via the local wired or wireless network, via Dan Kaminsky's DNS hijack attack, via the Tor network, or via the cable modem network (though this would require a custom modem). The steps performed during an attack are as follows:^[4]

1. Cache all DNS responses on the network to obtain a mapping of what host name clients are resolving to know the host they are using for server IPs.
2. When a client IP connects to a server IP using https (port 443), look up what hostname they resolved in the DNS cache to get this IP.
3. Add this domain as a target for that client IP.
4. When that IP then connects to any http website, look up what targets it has accumulated, and optionally add on a list of custom targets for completely insecure sites such as mail.yahoo.com and mail.live.com. Inject images for each of these into that TCP connection.
5. When the browser fetches these images, it will transmit any insecure cookies for that domain and path. Record the resulting cookies (and any others) to a Firefox-compatible cookies file.

At DEF CON 16, Mike Perry introduced a tool that automatically targets all insecure sites. As Perry's tool shows, even if no one has heard of a site a user is accessing, the site is not necessarily secure.^[5]

Prevention

Users of the World Wide Web can reduce their exposure to CookieMonster attacks by avoiding websites that are vulnerable to these attacks. Certain web browsers make it possible for the user to establish which sites these are. For example, users of the Firefox browser can go to the Privacy tab in the Preferences window, and click on 'Show Cookies.' For a given site, inspecting the individual cookies for the top level name of the site, and any subdomain names, will reveal if 'Send For: Encrypted connections only,' has been set. If it has, the user can test for the site's vulnerability to CookieMonster attacks by deleting these cookies and visiting the site again. If the site still allows the user in, the site is vulnerable to CookieMonster attacks.^[6]

Also, Firefox users can install the add-on NoScript. It has a feature called "Forced Secure Cookies", which according to the author of the add-on, Giorgio Maone, can nullify the threat of the CookieMonster attack.^[7]

Prevention strategies of man-in-the-middle exploit apply as well.

History

On December 22 of 1998, a Oliver Lineham (a student from Wellington, New Zealand) created a webpage describing the CookieMonster flaw he and a friend discovered. The page listed vulnerable web browsers, provided a demonstration, and discussed possible implications of a CookieMonster attack.^[8]

On August 9 of 2008, at DEF CON 16, Mike Perry presented an automated tool to perform CookieMonster attacks on all insecure websites.

On October 28 of 2008, Netcraft discovered a vulnerability on the Yahoo site that was exploited to steal user authentication cookies. These cookies contained user login credentials that could be used to access any of Yahoo’s services, including e-mail. These cookies were being sent remotely to a site in the United States under the control of the attacker. This attack was executed using a CookieMonster attack tool.

Yahoo quickly corrected the flaw and released the following statement:^[9]

"The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue. As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com."

References

1. Goodwin, Dan. "CookieMonster nabs user creds from secure sites • The Register". Retrieved 2009-02-18.
2. Perry, Mike. "Automated HTTPS Cookie Hijacking". Retrieved 2011-12-07.
3. Lineham, Oliver. "Cookie Monster". Retrieved 2011-12-07.
4. Perry, Mike. "Automated HTTPS Cookie Hijacking". Retrieved 2011-12-07.
5. Perry, Mike. "Automated HTTPS Cookie Hijacking". Retrieved 2011-12-07.
6. Claburn, Thomas. "CookieMonster Can Steal HTTPS Cookies". Retrieved 2011-12-07.
7. Naraine, Ryan. "NoScript mitigates HTTPS cookie hijacking attacks". Retrieved 2011-12-07.
8. Lineham, Oliver. "Cookie Monster". Retrieved 2011-12-07.
9. "Change Your Yahoo Email". Retrieved 2011-12-07.

External Links

• http://fscked.org/blog/cookiemonster-core-logic-configuration-and-readmes

Category:Web security exploits