Vulnerable cookies

Mike Perry’s discovery that some supposedly secure Web sites (gmail, for example, but also including financial institutions such as Bank of America) are setting supposedly secure cookies that are susceptible to highjacking is getting press. I think it’s a terrific vulnerability because cookies are handled in the background and they can persist, so vulnerable ones may still be on one’s computer after Web sites have updated (unless they do it the right way).

Brian Krebs of the Washington (DC, US) Post has an explanation of the way it works (is that “htp” a typo or does he really mean a preprocessor?).

Consider the following scenario. You log into your Gmail account on a wireless hotspot at the local coffee bar, being careful to do so by clicking on a bookmark that sends you to In between reading your e-mail, for example, you surf over to another trusted Web site. A bad guy who has hijacked the establishment’s network sees that you’ve requested a new Web page and appends a tiny image at htp:// to the new page you requested. Bingo. Your browser will spit out the Gmail cookie with your credentials.

One does not have to be in a wi-fi environment for the exploit to work, though. One could probably have one’s cookies invoked by a hi-jacked Web page.

Read Mr. Krebs’ article.

In an article in the Manchester (UK) Register, Dan Goodin reiterates Mr. Perry’s method to test extant cookies on one’s computer.

Read a collection of Mr. Perry’s notes on the topic.


Leave a comment

Filed under News, Technology

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s