Feeds

back to article CookieMonster nabs user creds from secure sites

Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels. Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Bank of America -FAIL

I'm disappointed.

0
0
Anonymous Coward

Alliance Leicester FAIL

If the testing method described in the last para of the article is sound

0
0
Thumb Up

TD Canada Trust - PASS

TD Canada Trust banking seems to work fine.

0
0
Thumb Down

Bank of Nova Scotia (Canada) - FAIL

Not good...

0
0
Happy

St George Bank, Australia pass

A few unsecured cookies, but without the secure ones; you're logged out. 8^)

0
0
Tom
Silver badge

For the legacy challenged

How do you check in IE?

0
0
Thumb Up

HSBC UK

Looks ok here :)

0
0
Thumb Up

EBankInter - PASS

Phew!

0
0
Paris Hilton

FIRST DIRECT - pass

Paris - because it's obviously Phorm-related

0
0
Anonymous Coward

HSBC.co.uk - Pass

Assuming validity of the test of course

0
0
Anonymous Coward

Halifax and Nationwide - FAIL

Both allow cookies over "any type of connection"

0
0

Egg Banking - PASS

Assuming I followed instructions properly

0
0
Thumb Down

Halifax - FAIL

Disappointing

0
0
Thumb Up

FirstDirect - PASS

Seems to have passed but I hope someone else tries the test.

0
0
Thumb Up

hsbc.co.uk - pass

just the personal side, didn't try the business side.

0
0
Alert

Try Logging Out !?

But the banks, and others, say to always logout, so that would surely (?) avoid this situation? Also all banks that I have used automatically log you off if unused for a few minutes.

Anyway, will try a few...

0
0
Silver badge
Thumb Up

Barclays - UK - PASS

Showed no cookies as secure, so didn't erase anything after the first clearing.

0
0
Thumb Up

First Direct - PASS

First Direct seem to be OK :-)

0
0
Anonymous Coward

Standard Bank (South Africa) - PASS

Only one cookie from the internet banking server, and it's "encrytped connection only".

0
0

Natwest - PASS

If this method works

0
0

What about?

Next, clear all cookies marked as "SECURE" (in Firefox, go to preferences > privacy > show cookies. Delete only the cookies marked as "Encrypted connections only").

What if you visit the site and it doesnt have "marked as SECURE/Encrypted connections only" It has JSESSIONID, WT_FPC, and a couple of Apache... is that good or bad :s

0
0

Bank Of Scotland - PASS

Didnt even need to delete any cookies. As soon as I closed the Bank of Scotland tab, and then reopened it, I was logged out.

0
0
Unhappy

Widespread

Out of 10 banking an investment sites I've logged in to, only one is even using cookies set to "secure connections only", the rest are all "any connection", so I suspect the problem is extremely widespread.

0
0
Thumb Up

Lloyds TSB - PASS

(whew)

0
0
Anonymous Coward

Halifax (UK) - FAIL

(Assuming I'm following the guidelines correcly - there weren't any cookies marked as secure)

0
0
Anonymous Coward

Oh come on

This is a man in the middle attack run on a local network, you can do far more than nab cookies to sites.

And it is amusing people don't understand how cookies work, Lou Montulli is probably spinning in his grave (ok he is not dead, well not that I know off), but the mechanism has been in for ages to only transmit over a secured channel.

And you would have thought with all this phorm business, people would have looked into how they were handling their cookies, but a lot of folks use frameworks and obviuosly people who don't know what they are doing have been building those.

It is a little bit of a storm in a teacup, but the fix is so trivial, it is called not hiring cowyboy coders.

0
0
Anonymous Coward

German Commerzbank, Volkswagenbank Pass , but ...

... it's not only your bank account. ebay.co.uk fails as does ebay.de

0
0
Thumb Up

HSBC (UK) - Pass

Nuff z

0
2
Happy

Lloyds TSb passes, I think

Couldn't do that on Firefox for some reason, but the cookie manager in Opera says Lloyds TSB's online service cookies are secure.

0
0
Anonymous Coward

There's another way...

There's one safe way to secure our online bank accounts...don't have them online!

We've managed perfectly well for many years without online accounts.

Think I'll put up with the slight increase in inconvenience by using a bricks and mortar bank account.

0
0

This post has been deleted by its author

Anonymous Coward

barclays... FAIL

Konqueror reports all cookies as ... "Secure: No".

0
0
Anonymous Coward

First Direct - pass?

In FF3, didn't see any encrypted cookies etc, but deleted the many other new ones related to the session, then clicked on a button in the banking window - immediately booted right out...

Anonymous as I don't want anyone to know who I bank with!

0
0
Thumb Down

Royal Bank Of Scotland - Fail

Just rang them, and was told "we are aware of it" without me even saying what the issue was??

0
0
Thumb Up

HSBC (UK) - Pass

Thankfully they get something right!

0
0

LloydsTSB - Pass

I feel somewhat relieved, but then I remember I'm in court with the gits and it all comes crumbling down again :p

0
0

(Bubble Burst) Student Finance website is wiiiiiiiiiiide open. FAIL

Just tried out the student finance site which is full of lots of lovely personal info, and they're as open as.. (on the internet, must keep clean...) a really, really, really wide open thing. *cough*

0
0
V
Thumb Up

Gnatwest

Gnatwest - OK

(they did something right for a change!)

0
0
Thumb Up

Citibank - PASS

From the US, anyway.

0
0
Thumb Up

TD Ameritrade - PASS

TD Ameritrade passes after removing secure cookies from 'ameritrade' and 'tdameritrade' domains.

0
0
Thumb Down

Co-operative Bank - FAIL

boohoo... no secure cookies. gonna report it now

0
0

USAA.com - FAIL

Damn! not a Secure Cookie in sight!

-dZ.

0
0
Anonymous Coward

Man in the Middle

If you use an external proxy server you could easily be vulnerable to a Man in the Middle attack, but then if you're accessing sensitive sites via this method, you should step away from your PC.

Of course, there is the additional problem of the ubiquitious "transparent caches" employed by some ISPs, also.

I noticed that at least one person commenting above didn't understand the instructions properly, btw.

0
0
Anonymous Coward

Co-op bank - FAIL

I see no "secure connection only" cookies after logging in to the co-op bank website, so presumably they're vulnerable.

Curiously Halifax do send one "secure only" cookie, however removing it doesn't cause the session to close so presumably it's one of the "any type of connection" cookies that actually matters.

Pathetic. Let's see how long it takes them all to fix it.

0
0
Thumb Up

Nice hack

That's a clever little hack, goes to show there's no easy way to check your balance on the coffee shop's free wifi connection. Have to admit I didn't know about secure cookies until I read this, I'd start using SSL on all my sites if certs were a whole lot cheaper :-)

0
0
Thumb Down

Cahoot (part of abbey)

Flooded me with cookies but none were marked as secure.

Deleting the cookies logged me out.

0
0

RBS fail...ish

Royal bank of scotland fails for the login but now requires the use of crazy encrypto calc to do any sort of transfers outside of your own accounts.

So, someone could come in and transfer money between my own accounts, but would not be able to set up direct debits, transfer to someone else's account etc.

Not great, but at least its something. Just in time too. This is brand new,

0
0
Thumb Up

National City - PASS

So does American Express - pass

0
0

Alliance & Leicester - PASS?

I see the 2nd comment above, but logging in to https://www.mybank.alliance-leicester.co.uk/index.asp it seems like a PASS, it *always* asks for my PIN anyway, so I'm not sure if that means it was safe already.

0
0
Silver badge
Thumb Up

Abbey Business - PASS

...if I did it right.

0
0

Page:

This topic is closed for new posts.