Secure browsing flaw reveals a nasty exploit
Fruit is lame. Cookies are the way to go. When I saw the big blue fur dude yell "cookeeez!" and stuff his face with crumbly goodness, I knew me and Cookie Monster would get along fine. But I was crushed to see he’s been dabbling in “grey hat” SSL exploit hacking. The gleefully delusional crumb muncher is the mascot of a new cookie-snatching hack that can collect your login info on Gmail, Netflix, or even your bank. Well, he’s not real, but the danger is.
The Debut of the CookieMonster
The approach has been around for at least a year, but it publicly debuted a couple of weeks ago at the DEFCON security conference. It details how a hacker can trick your browser into transmitting your login info for secure sites. Gmail, banks, and many online merchants use HTTPS connections to protect you from prying eyes.
Mike Perry, a self-described random hacker, gave a quick PowerPoint demo at the conference. Perry promises to release a tool that puts the power into legions of "script kiddies" (hackers who only use other people’s pre-written code) around the world.
How the Exploit Works
It works by scanning Wi-Fi traffic for HTTPS (port 443) connections and logging the IP address of hostnames they communicated with, then monitoring specific users who browse away from a secure connection and onto a normal website.
When their browser asks for whatever page they want, the hacker hijacks the request to include an image from unsecure alternatives to secure sites (e.g., mail.yahoo.com). The browser then dutifully transmits its cookies for that domain, trying to let the server know that it’s a trusted request. The hacker quietly copies those cookies, places them in his own cookie collection, visits the site, and is assumed to be logged in as that user.
Put simply: A pseudo-l33t script-kiddie fires up CookieMonster, sniffs traffic, grabs cookies, injects a load, and now owns your session.
Vulnerable Sites and Reactions
But fear not, trembling masses. Perry is well aware of the havoc that can be caused by such a tool and is working with major sites to fix their SSL weaknesses to render his own work obsolete.
Gmail was the obvious choice as the first victim because it’s such a big target. The security team at Google was the first to react after the presentation and tried to fix the problem with an “Always use https” option in the settings pane of Gmail accounts. You should enable that if you have a Gmail account.
Perry has released a list of allegedly vulnerable sites, and there are some heavy hitters:
- Airlines: Southwest.com, United.com, Usairways.com
- Banks: Bankofamerica.com, Usaa.com, Discovercard.com
- Merchants: Netflix.com, Apple.com, eBay.com
- Social Networking: Facebook, MySpace, Twitter (vulnerable via related tools)
Three Steps to Stay Safe
I have no doubt that most of these sites are now revisiting their SSL implementation, but until then, here is what you can do:
- Avoid Public Transactions: Don’t pay bills or order things while on public Wi-Fi at a coffee shop.
- Protect Your Home Network: Password-protect your Wi-Fi router.
- Always Log Out: Most importantly and simply, log out when you’re finished.
After checking your email or bank account, always click logout or sign out. It’s usually an easy-to-find link in the top right or top left of the site. Then sleep well, knowing your cookies are back in your own hands.