Fruit is lame. Cookies are the way to go. When I saw the big blue fur dude yell cookeeez! and stuff his face with crumbly goodness, I knew me and Cookie Monster would get along fine. But I was crushed to see he’s been dabbling in “grey hat” SSL exploit hacking. The gleefully delusional crumb muncher is the mascot of a new cookie-snatching hack that can collect your login info on Gmail, Netflix, or even your bank. Well, he’s not real, but the danger is.
The approach has been around for at least a year, but it publicly debuted a couple of weeks ago at the DEFCON security conference. It details how a hacker can trick your browser into transmitting your login info for secure sites. Gmail, banks, and many online merchants use https connections to protect you from prying eyes. Mike Perry, a self-described random hacker, gave a quick powerpoint demo at the conference. Perry promises to release a tool that puts the power into legions of script kiddies (hackers who only use other people’s pre-written code) around the world.
It works by scanning wi-fi traffic for https (port 443) connections and logging the IP address of hostnames they communicated with, then monitoring specific users who browse away from a secure connection and onto a normal website. When their browser asks for whatever page they want, the hacker highjacks the request to include an image from unsecure alternatives to secure sites, i.e., mail.yahoo.com. The browser then dutifully transmits its cookies for that domain, trying to let the server know that it’s a trusted request. The hacker quietly copies those cookies, places them in his own cookie collection, visits the site, and is assumed to be logged in as that user.
Put simply: A psuedo-l33t script-kiddie fires up CookieMonster, sniffs stuff, grabs cookies, injects load, now pwns you.
But fear not, trembling masses. Perry is well aware of the havoc that can be caused by such a tool and is working with major sites to fix their SSL weaknesses to render his own work obsolete. Also, there are some basic steps you can take that will keep you in the clear for the time being.
Gmail was the obvious choice as first victim, because it’s such a big target. The security team at Google was the first to react after the presentation and tried to fix the problem with a “Browser connection: Always use https” option in the settings pane of Gmail accounts. You should enable that if you have a Gmail account. Although the fix works on a technical level, Perry correctly points out that it has a low effectiveness, because most users won’t use the option because Google says it may slow down the session.
Perry has gone out of his way to release the tool in a responsible way, and has communicated with not only Google and Microsoft but apparently many other sites. Just recently he released a list of allegedly vulnerable sites and there are some heavy hitters. Airlines: Southwest.com, United.com, Usairways.com. Banks: Bankofamerica.com, Usaa.com, Discovercard.com. Merchants: Netflix.com, Apple.com, eBay.com. And with a different but related tool, most social networking sites (Facebook, Myspace, Twitter, etc.) have been vulnerable for a while.
I have no doubt that most of these sites are now revisiting their SSL implementation and will come up with a CookieMonster nullifying solution, but maybe not. So what can you do? Three things: Don’t pay bills or order things at a coffee shop. Password protect your wi-fi router. Most importantly and simply, log out when you’re finished.
Again, after checking your e-mail or bank account, always click logout or sign out when you’re done. It’s usually a very easy-to-find link in the top right or top left of any site you’re signed in to.
And then sleep well, knowing your cookies are back in your own hands.