Cookie-jacking tool made semi-public – sites still vulnerable

by Steve Ragan - Sep 26 2008, 23:05

When The Tech Herald first interviewed Mike Perry, we learned of a security issue that no one took seriously. However, remaining persistent, Perry has explained the issues with SSL-based security and, as promised, released his "CookieMonster" tool to the public.

Mike Perry is not your typical security researcher, the Automated HTTPS Cookie Hijacking vulnerability he has discussed and researched was located by accident.

The method is one appearing to stem from the development side of things when Web site authentication is created. There are two issues here. One is that most Web sites offer no secure access (HTTPS) past the log-in page -- or no security at all. The other concerns Web sites that use HTTPS, but fail to secure bit in the cookie.

"Basically, it revolves around the fact that cookies have two modes: secure and insecure," wrote Perry on his official blog. "If a cookie is insecure, a browser will transmit it for plain old http connections, and an active attacker can then inject a set of http images for sites that they want cookies for, and the browser will happily transmit cookies for these sites unencrypted, allowing their capture." 

"This attack can even be automated for the majority of sites without the need for a list of targets (though a list of targets can also work just fine against these sites as well, to capture their cookies for every IP on the network)," he added.

However, when Perry attempted to warn others about the problem, he was met with silence, and all of the researched avenues of communication led to brick walls. He also strived to remain in constant contact with various companies and Web sites, yet most are still vulnerable, and others flatly refuse to acknowledge the issue.

Case in point, LinkedIn, which, after initial contact from Perry, said: "...this is an attack against the end-user, not the web application itself," duly outlining its intention to do nothing at all.

In a follow-up e-mail, Perry was asked if LinkedIn had a point with the issue being client-side only? However, did LinkedIn miss the larger picture that it can protect the client, and thus its own user base, by upgrading code and mitigating the attack?

"Yeah, in fact if you take a wider view of the issue of being unable to trust the Internet at large (especially with the DNS attack, the BGP attack, cable modem attacks, the SNMP attack, and this upcoming Toorcon presentation about compromising consumer routers to build botnets) there really is no way for the client to secure themselves other than an authenticated channel to LinkedIn, which they are refusing to provide their users for most of the core use cases of their site," said Perry.

[Toorcon runs from September 26-28 in San Diego, CA.]

Perry's subsequent "CookieMonster" tool, which was initially only available to a select few, is now available to anyone who wants to take the time to e-mail in a request for it. While Perry himself will do what he can to keep the tool from falling into the hands of those who would abuse it, the odds remain high that this will eventually be applied for criminal purposes.

Despite that fact, Perry has waited long enough and given out enough information and time in order for companies to fix the issue. Yet, even now, there is no direct link access to the "CookieMonster" tool.

"I know, I know, I should just bite the bullet and post a link to the tool. But I want to make sure that word is spread thoroughly, and that sites that are serious about protecting their users from this attack have time (within reason) to secure themselves," said Perry in a recent blog post.

"Gmail in particular is still ironing out some final bugs in their mixed mode https-is-really-secure implementation, so I've decided to be Mr. Nice Guy and at least wait for them," he added.

Which takes us back to the topic of 'Full Disclosure', as some will argue Perry should wait regardless. Yet, more will argue he has waited enough, and the press and postings surrounding his work are already being claimed by others as their own. Was Perry too giving in waiting this long? Are the sites simply taking advantage of his gesture and avoiding the fix?

The bigger picture is still a simple one. Perry’s research discovered something that could have been prevented with the proper use of HTTPS access. The development of Web-based applications has to start with security in mind, and rely less on adding security later.

Around the Web