Web browsing on SSL sites may not be as secure as you think. Security researcher Mike Perry has released additional details about his CookieMonster tool, which can be used to steal private data via HTTPS cookies. Mike Perry spoke about the issue at the Defcon security conference.
Talk of HTTPS cookie hijacking is pushing its way toward the front of the
line of security concerns with the release of details regarding an automated
tool dubbed the CookieMonster.
The Python-based tool is the brainchild of reverse engineer Mike Perry, who
spoke about HTTPS cookie hijacking at the Defcon 16 security conference in Las
Vegas in August. Though Perry has put off making the
tool available to the general public, he recently posted more details
explaining how the tool works on his blog, which prompted the SANS Institute
to give a
With HTTPS cookies in their metaphorical jar, cyber-crooks could potentially
access online accounts. In an overview, Perry described CookieMonster as an
automated tool that can be configured to steal the cookies for a specific list
of domains for every client IP on the local network. The tool is also able to
compromise arbitrary insecure
SSL (Secure Sockets Layer) sites
without the need to provide such a target
"Basically, [the issue] revolves around the fact that cookies have two
modes: secure and insecure," Perry wrote in a blog post.
"If a cookie is insecure, a browser will transmit it for plain old HTTP
connections, and an active attacker can then inject a set of HTTP images for
sites that they want cookies for, and the browser will happily transmit cookies
for these sites unencrypted, allowing their capture."
In addition to insecure HTTPS cookies, CookieMonster also steals URL-based
session ID details, which are used to prevent cross-site request forgery.
According to Perry, the injection mechanism is the airpwn-style TCP
race condition attack. Currently, only open and WEP (Wired Equivalent Privacy) wireless
injection is supported.
"Since CookieMonster is local, it is able to respond to arbitrary Web
requests considerably faster than the actual Web server," he wrote in a
separate overview of the tool. "This allows us to hijack any connections
To check whether a Web site is vulnerable using Firefox, users can go to the
Privacy tab in the Preferences window and select Show Cookies.
"For a given site, inspect the individual cookies for the top-level
name of the site, and any subdomain names, and if any have 'Send For: Encrypted
connections only,' delete them," Perry explained on his blog. "Then
try to visit your site again. If it still allows you in, the site is insecure
and your session can be stolen. You should report this to the site maintainer."
To help deal with the issue, Firefox users can
reportedly take advantage of the NoScript