Talk of HTTPS cookie hijacking is pushing its way toward the front of the line of security concerns with the release of details regarding an automated tool dubbed the CookieMonster.
The Python-based tool is the brainchild of reverse engineer Mike Perry, who spoke about HTTPS cookie hijacking at the Defcon 16 security conference in Las Vegas in August. Though Perry has put off making the tool available to the general public, he recently posted more details explaining how the tool works on his blog, which prompted the SANS Institute to give a heads-up.
With HTTPS cookies in their metaphorical jar, cyber-crooks could potentially access online accounts. In an overview, Perry described CookieMonster as an automated tool that can be configured to steal the cookies for a specific list of domains for every client IP on the local network. The tool is also able to compromise arbitrary insecure SSL (Secure Sockets Layer) sites without the need to provide such a target list.
“Basically, [the issue] revolves around the fact that cookies have two modes: secure and insecure,” Perry wrote in a blog post. “If a cookie is insecure, a browser will transmit it for plain old HTTP connections, and an active attacker can then inject a set of HTTP images for sites that they want cookies for, and the browser will happily transmit cookies for these sites unencrypted, allowing their capture.”
In addition to insecure HTTPS cookies, CookieMonster also steals URL-based session ID details, which are used to prevent cross-site request forgery.
According to Perry, the injection mechanism is the airpwn-style TCP race condition attack. Currently, only open and WEP (Wired Equivalent Privacy) wireless injection is supported.
“Since CookieMonster is local, it is able to respond to arbitrary Web requests considerably faster than the actual Web server,” he wrote in a separate overview of the tool. “This allows us to hijack any connections we wish.”
To check whether a Web site is vulnerable using Firefox, users can go to the Privacy tab in the Preferences window and select Show Cookies.
“For a given site, inspect the individual cookies for the top-level name of the site, and any subdomain names, and if any have ‘Send For: Encrypted connections only,’ delete them,” Perry explained on his blog. “Then try to visit your site again. If it still allows you in, the site is insecure and your session can be stolen. You should report this to the site maintainer.”
To help deal with the issue, Firefox users can reportedly take advantage of the NoScript 18.104.22.168 plug-in.