Bank of America -FAIL
Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels. Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios …
Next, clear all cookies marked as "SECURE" (in Firefox, go to preferences > privacy > show cookies. Delete only the cookies marked as "Encrypted connections only").
What if you visit the site and it doesnt have "marked as SECURE/Encrypted connections only" It has JSESSIONID, WT_FPC, and a couple of Apache... is that good or bad :s
This is a man in the middle attack run on a local network, you can do far more than nab cookies to sites.
And it is amusing people don't understand how cookies work, Lou Montulli is probably spinning in his grave (ok he is not dead, well not that I know off), but the mechanism has been in for ages to only transmit over a secured channel.
And you would have thought with all this phorm business, people would have looked into how they were handling their cookies, but a lot of folks use frameworks and obviuosly people who don't know what they are doing have been building those.
It is a little bit of a storm in a teacup, but the fix is so trivial, it is called not hiring cowyboy coders.
If you use an external proxy server you could easily be vulnerable to a Man in the Middle attack, but then if you're accessing sensitive sites via this method, you should step away from your PC.
Of course, there is the additional problem of the ubiquitious "transparent caches" employed by some ISPs, also.
I noticed that at least one person commenting above didn't understand the instructions properly, btw.
I see no "secure connection only" cookies after logging in to the co-op bank website, so presumably they're vulnerable.
Curiously Halifax do send one "secure only" cookie, however removing it doesn't cause the session to close so presumably it's one of the "any type of connection" cookies that actually matters.
Pathetic. Let's see how long it takes them all to fix it.
Royal bank of scotland fails for the login but now requires the use of crazy encrypto calc to do any sort of transfers outside of your own accounts.
So, someone could come in and transfer money between my own accounts, but would not be able to set up direct debits, transfer to someone else's account etc.
Not great, but at least its something. Just in time too. This is brand new,
Synovus Online Access - FAIL
(which feeds a plethora of small, home-town banks) has all of its cookies set as "any connection."
Chase - PASS
auth-user-info cookie set as encrypted only.
AT&T Wireless - FAIL
ALL cookies set as "any connection"
Sprint PCS - FAIL
ALL cookies set as "any connection"
Outlook Web Access (2003) - PASS
Removing the encrypted cookie kills the session
SBS 2003 Remote Web Workplace - FAIL
ALL cookies set to "any connection"
campus.fsu.edu (BlackBoard) - FAIL
Removing encrypted cookies (even an unencrypted by accident) retains the session.
Nelnet (Student loan handler) - BIG FAIL
Not only are all cookies set for "any connection," but all form fields used to retrieve forgotten account information are auto-complete.
Wells Fargo Financial - FAIL
ALL cookies set to "any connection"
GE Money Bank (statementlook.com) - PASS
Removing the encrypted cookie results in dead session and error.
That is all.
Shame on the lack of a Paris icon.
Also, Halifax fails. As do Nationwide, Alliance and Leicester, Bank of Nova Scotia, Bank of America, Barclays, eBay and Bubble Burst Finance according to above posts (Summary for those too lazy to look through the list...)
Paris because Steve missed an opportunity...
I have only ever visited a bank for one of three reasons; which are, in descending order of frequency: To draw out cash via the hole-in-the-wall machine; to pay in cash or cheques via the hole-in-the-wall machine; or occasionally to grovel to a bank manager and ask for an extension to my overdraft, pretty please with brass knobs on.
TTBOMK none of these functions are replicable via a web browser!
I can't even pay my home energy bills via the internet, as there is no such thing as a home recharging device for electricity keys or gas cards.
When you live out of town and work a full 9-5:30 day there is little you can do with a 'bricks and mortar' bank until the weekend. I am a digital generation member and I do everything online, shopping, banking, voting, council tax, etc, etc
There is no need to add extra cost to my already massive fuel bills to trapse into a chav-infested cesspool of a town just to check I have funds to buy something sucking time away from my precious weekend. Yes we managed for years but online banking (and shopping, and council services, et al) makes it so much easier and quicker and I'm less likely to get stabbed by chavs or mauled by their mixbreed dogs or monitored on CCTV or weashed away in a flash flood or happy slapped or given a torch that each night takes to a magical world.
I'd still maintain I'm less likely to have my details stolen online than by someone watching over my shoulder while I input my pin, by using an altered cashpoint or someone going through my rubbish.
Oh, how the middle classes suffer. (Not in silence). But at least the Grauniad spells words correctly these days - I'm told. Doubtless you'll be warm this winter, as you ponder whether to vote for the other lot next time, mindful they will start rolling back nu labour's jobs-for-the-boys-and-girls schemes, so exacerbating your fears in proportion to the number of unemployed.
Now, back to those dunces called banks, that have found yet another way to fuck things up..
Do you live near Ipswitch? Personally I can't wait to be immersed in a virtual fantasy world so I never have to leave my house either, the real world is so distatesful.
I was at a cash machine the other day, it had a little sticker which said "who's looking over your shoulder?" so I had a look.... oooh it's me....
I use barclays online banking and both the cookies are set to "use any type of connection" which I think is a fail. However barclays also use a token generator so maybe this offsets things.
A follow up article for less technical readers would be helpful, along with a list of the sites that are a proven problem. I cut code for a living, but I'm not a net guru.
> CookieMonster then injects images from insecure (non-https) portions of the protected website
So that means the vulnerability exists only if the secure site makes an http request. If the site always sends https, including requests for images and other resources, then there is no vulnerability. Agreed this would require a full scan of the site to ensure it was fully secure though.
There are loads of sites that accept usernames and passwords over an http connection before going to SSL, e.g. web mail apps.
Stop - because we need to think not panic.
It is amusing that the source shows the following: There are only two conditions under which the injection will be attempted. First, if the packet is part of a request for an HTML resource, and second if the request is being made (for any type of data) by MSIE:
# Check accept types for html (Avoid xml, rss, img, etc)
if "accept" in req.headers and \
"text/html" in req.headers["accept"] or \
"MSIE" in user_agent:
For those who mentioned the times you have to use networks of questionable ethics (internet cafe or what not) if you get a half decent router at home you should be able to set up dial-in VPNs on it.
Set up a VPN on your laptop or what not and tell it to use the VPN as the default gateway (which is the default iirc) and fire it up when you're on questionable networks.
Works a treat for me :D
(And I guess I'll take this belated opportunity to use the paris icon)
Biting the hand that feeds IT © 1998–2019