back to article CookieMonster nabs user creds from secure sites

Websites used for email, banking, e-commerce and other sensitive applications just got even less secure with the release of a new tool that siphons users' authentication credentials - even when they're sent through supposedly secure channels. Dubbed CookieMonster, the toolkit is used in a variety of man-in-the-middle scenarios …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Bank of America -FAIL

    I'm disappointed.

  2. Anonymous Coward
    Anonymous Coward

    Alliance Leicester FAIL

    If the testing method described in the last para of the article is sound

  3. Max Vernon
    Thumb Up

    TD Canada Trust - PASS

    TD Canada Trust banking seems to work fine.

  4. Max Vernon
    Thumb Down

    Bank of Nova Scotia (Canada) - FAIL

    Not good...

  5. Michael James
    Happy

    St George Bank, Australia pass

    A few unsecured cookies, but without the secure ones; you're logged out. 8^)

  6. Tom

    For the legacy challenged

    How do you check in IE?

  7. Mart
    Thumb Up

    HSBC UK

    Looks ok here :)

  8. Anonymous Coward
    Thumb Up

    EBankInter - PASS

    Phew!

  9. david g
    Paris Hilton

    FIRST DIRECT - pass

    Paris - because it's obviously Phorm-related

  10. Anonymous Coward
    Anonymous Coward

    HSBC.co.uk - Pass

    Assuming validity of the test of course

  11. Anonymous Coward
    Anonymous Coward

    Halifax and Nationwide - FAIL

    Both allow cookies over "any type of connection"

  12. Aidan Ramskir

    Egg Banking - PASS

    Assuming I followed instructions properly

  13. Anonymous Coward
    Thumb Down

    Halifax - FAIL

    Disappointing

  14. Gerry
    Thumb Up

    FirstDirect - PASS

    Seems to have passed but I hope someone else tries the test.

  15. Aidan Samuel
    Thumb Up

    hsbc.co.uk - pass

    just the personal side, didn't try the business side.

  16. Anonymous Coward
    Alert

    Try Logging Out !?

    But the banks, and others, say to always logout, so that would surely (?) avoid this situation? Also all banks that I have used automatically log you off if unused for a few minutes.

    Anyway, will try a few...

  17. Neil Barnes Silver badge
    Thumb Up

    Barclays - UK - PASS

    Showed no cookies as secure, so didn't erase anything after the first clearing.

  18. Anonymous Coward
    Thumb Up

    First Direct - PASS

    First Direct seem to be OK :-)

  19. Anonymous Coward
    Anonymous Coward

    Standard Bank (South Africa) - PASS

    Only one cookie from the internet banking server, and it's "encrytped connection only".

  20. Danny

    Natwest - PASS

    If this method works

  21. FlatSpot

    What about?

    Next, clear all cookies marked as "SECURE" (in Firefox, go to preferences > privacy > show cookies. Delete only the cookies marked as "Encrypted connections only").

    What if you visit the site and it doesnt have "marked as SECURE/Encrypted connections only" It has JSESSIONID, WT_FPC, and a couple of Apache... is that good or bad :s

  22. robert

    Bank Of Scotland - PASS

    Didnt even need to delete any cookies. As soon as I closed the Bank of Scotland tab, and then reopened it, I was logged out.

  23. druck Silver badge
    Unhappy

    Widespread

    Out of 10 banking an investment sites I've logged in to, only one is even using cookies set to "secure connections only", the rest are all "any connection", so I suspect the problem is extremely widespread.

  24. Prashant Kerai
    Thumb Up

    Lloyds TSB - PASS

    (whew)

  25. Anonymous Coward
    Anonymous Coward

    Halifax (UK) - FAIL

    (Assuming I'm following the guidelines correcly - there weren't any cookies marked as secure)

  26. Anonymous Coward
    Anonymous Coward

    Oh come on

    This is a man in the middle attack run on a local network, you can do far more than nab cookies to sites.

    And it is amusing people don't understand how cookies work, Lou Montulli is probably spinning in his grave (ok he is not dead, well not that I know off), but the mechanism has been in for ages to only transmit over a secured channel.

    And you would have thought with all this phorm business, people would have looked into how they were handling their cookies, but a lot of folks use frameworks and obviuosly people who don't know what they are doing have been building those.

    It is a little bit of a storm in a teacup, but the fix is so trivial, it is called not hiring cowyboy coders.

  27. Anonymous Coward
    Anonymous Coward

    German Commerzbank, Volkswagenbank Pass , but ...

    ... it's not only your bank account. ebay.co.uk fails as does ebay.de

  28. Tim Parker
    Thumb Up

    HSBC (UK) - Pass

    Nuff z

  29. Rob Parsons
    Happy

    Lloyds TSb passes, I think

    Couldn't do that on Firefox for some reason, but the cookie manager in Opera says Lloyds TSB's online service cookies are secure.

  30. Anonymous Coward
    Anonymous Coward

    There's another way...

    There's one safe way to secure our online bank accounts...don't have them online!

    We've managed perfectly well for many years without online accounts.

    Think I'll put up with the slight increase in inconvenience by using a bricks and mortar bank account.

  31. This post has been deleted by its author

  32. Anonymous Coward
    Anonymous Coward

    barclays... FAIL

    Konqueror reports all cookies as ... "Secure: No".

  33. Anonymous Coward
    Anonymous Coward

    First Direct - pass?

    In FF3, didn't see any encrypted cookies etc, but deleted the many other new ones related to the session, then clicked on a button in the banking window - immediately booted right out...

    Anonymous as I don't want anyone to know who I bank with!

  34. blah
    Thumb Down

    Royal Bank Of Scotland - Fail

    Just rang them, and was told "we are aware of it" without me even saying what the issue was??

  35. David Hayes
    Thumb Up

    HSBC (UK) - Pass

    Thankfully they get something right!

  36. Steve Sherlock

    LloydsTSB - Pass

    I feel somewhat relieved, but then I remember I'm in court with the gits and it all comes crumbling down again :p

  37. Steve Sherlock

    (Bubble Burst) Student Finance website is wiiiiiiiiiiide open. FAIL

    Just tried out the student finance site which is full of lots of lovely personal info, and they're as open as.. (on the internet, must keep clean...) a really, really, really wide open thing. *cough*

  38. V
    Thumb Up

    Gnatwest

    Gnatwest - OK

    (they did something right for a change!)

  39. Charles Green
    Thumb Up

    Citibank - PASS

    From the US, anyway.

  40. Charles Green
    Thumb Up

    TD Ameritrade - PASS

    TD Ameritrade passes after removing secure cookies from 'ameritrade' and 'tdameritrade' domains.

  41. Robin Layfield
    Thumb Down

    Co-operative Bank - FAIL

    boohoo... no secure cookies. gonna report it now

  42. DZ-Jay

    USAA.com - FAIL

    Damn! not a Secure Cookie in sight!

    -dZ.

  43. Anonymous Coward
    Anonymous Coward

    Man in the Middle

    If you use an external proxy server you could easily be vulnerable to a Man in the Middle attack, but then if you're accessing sensitive sites via this method, you should step away from your PC.

    Of course, there is the additional problem of the ubiquitious "transparent caches" employed by some ISPs, also.

    I noticed that at least one person commenting above didn't understand the instructions properly, btw.

  44. Anonymous Coward
    Anonymous Coward

    Co-op bank - FAIL

    I see no "secure connection only" cookies after logging in to the co-op bank website, so presumably they're vulnerable.

    Curiously Halifax do send one "secure only" cookie, however removing it doesn't cause the session to close so presumably it's one of the "any type of connection" cookies that actually matters.

    Pathetic. Let's see how long it takes them all to fix it.

  45. Roger Heathcote
    Thumb Up

    Nice hack

    That's a clever little hack, goes to show there's no easy way to check your balance on the coffee shop's free wifi connection. Have to admit I didn't know about secure cookies until I read this, I'd start using SSL on all my sites if certs were a whole lot cheaper :-)

  46. Len Goddard
    Thumb Down

    Cahoot (part of abbey)

    Flooded me with cookies but none were marked as secure.

    Deleting the cookies logged me out.

  47. Brian Miller

    RBS fail...ish

    Royal bank of scotland fails for the login but now requires the use of crazy encrypto calc to do any sort of transfers outside of your own accounts.

    So, someone could come in and transfer money between my own accounts, but would not be able to set up direct debits, transfer to someone else's account etc.

    Not great, but at least its something. Just in time too. This is brand new,

  48. Hunter Chisholm
    Thumb Up

    National City - PASS

    So does American Express - pass

  49. lIsRT

    Alliance & Leicester - PASS?

    I see the 2nd comment above, but logging in to https://www.mybank.alliance-leicester.co.uk/index.asp it seems like a PASS, it *always* asks for my PIN anyway, so I'm not sure if that means it was safe already.

  50. Nigel Callaghan
    Thumb Up

    Abbey Business - PASS

    ...if I did it right.

  51. Anonymous Coward
    Alert

    Student, SBS RWW, and bank sites fail

    Synovus Online Access - FAIL

    (which feeds a plethora of small, home-town banks) has all of its cookies set as "any connection."

    Chase - PASS

    auth-user-info cookie set as encrypted only.

    AT&T Wireless - FAIL

    ALL cookies set as "any connection"

    Sprint PCS - FAIL

    ALL cookies set as "any connection"

    Outlook Web Access (2003) - PASS

    Removing the encrypted cookie kills the session

    SBS 2003 Remote Web Workplace - FAIL

    ALL cookies set to "any connection"

    campus.fsu.edu (BlackBoard) - FAIL

    Removing encrypted cookies (even an unencrypted by accident) retains the session.

    Nelnet (Student loan handler) - BIG FAIL

    Not only are all cookies set for "any connection," but all form fields used to retrieve forgotten account information are auto-complete.

    Wells Fargo Financial - FAIL

    ALL cookies set to "any connection"

    GE Money Bank (statementlook.com) - PASS

    Removing the encrypted cookie results in dead session and error.

    That is all.

  52. Anonymous Coward
    Paris Hilton

    @Steve Sherlock

    Shame on the lack of a Paris icon.

    Also, Halifax fails. As do Nationwide, Alliance and Leicester, Bank of Nova Scotia, Bank of America, Barclays, eBay and Bubble Burst Finance according to above posts (Summary for those too lazy to look through the list...)

    Paris because Steve missed an opportunity...

  53. Anonymous Coward
    Alert

    Title shmitle

    Royal Bank of Scotland - PASS

    Paypal .co.uk - PASS (gasp!)

    Ebay .co.uk - FAIL

    It's been said that this is "a storm in a teacup" etc but many people may have to use networks of questionable security/ integrity & this kind of problem really should be eliminated during development.

  54. A J Stiles
    Stop

    What's the attraction of banking websites anyway?

    I have only ever visited a bank for one of three reasons; which are, in descending order of frequency: To draw out cash via the hole-in-the-wall machine; to pay in cash or cheques via the hole-in-the-wall machine; or occasionally to grovel to a bank manager and ask for an extension to my overdraft, pretty please with brass knobs on.

    TTBOMK none of these functions are replicable via a web browser!

    I can't even pay my home energy bills via the internet, as there is no such thing as a home recharging device for electricity keys or gas cards.

  55. Anonymous Coward
    Unhappy

    @ RotaCyclic

    When you live out of town and work a full 9-5:30 day there is little you can do with a 'bricks and mortar' bank until the weekend. I am a digital generation member and I do everything online, shopping, banking, voting, council tax, etc, etc

    There is no need to add extra cost to my already massive fuel bills to trapse into a chav-infested cesspool of a town just to check I have funds to buy something sucking time away from my precious weekend. Yes we managed for years but online banking (and shopping, and council services, et al) makes it so much easier and quicker and I'm less likely to get stabbed by chavs or mauled by their mixbreed dogs or monitored on CCTV or weashed away in a flash flood or happy slapped or given a torch that each night takes to a magical world.

    I'd still maintain I'm less likely to have my details stolen online than by someone watching over my shoulder while I input my pin, by using an altered cashpoint or someone going through my rubbish.

    nuff said?

  56. Luther Blissett

    @Stu

    Oh, how the middle classes suffer. (Not in silence). But at least the Grauniad spells words correctly these days - I'm told. Doubtless you'll be warm this winter, as you ponder whether to vote for the other lot next time, mindful they will start rolling back nu labour's jobs-for-the-boys-and-girls schemes, so exacerbating your fears in proportion to the number of unemployed.

    Now, back to those dunces called banks, that have found yet another way to fuck things up..

  57. Mike

    @Stu

    Do you live near Ipswitch? Personally I can't wait to be immersed in a virtual fantasy world so I never have to leave my house either, the real world is so distatesful.

    I was at a cash machine the other day, it had a little sticker which said "who's looking over your shoulder?" so I had a look.... oooh it's me....

  58. blah
    Thumb Up

    credit to RBS

    Fixed within half a day

  59. Mike Morris
    Unhappy

    COMCAST - FAIL

    This is for email and account management. Both have the secure cookie, both ignore it's deletion.

    Cheers,

    Mike

  60. This post has been deleted by its author

  61. Anonymous Coward
    Anonymous Coward

    You ain't got no cookies.

    My bank hasn't let me log in since yesterday, it says 'cookies must be enabled' even though they are. Same deal from multiple computers. Maybe they broke it whilst trying to fix it. Anyways, I should probably call them.

  62. jorb

    Barclays Fail - I think

    I use barclays online banking and both the cookies are set to "use any type of connection" which I think is a fail. However barclays also use a token generator so maybe this offsets things.

    A follow up article for less technical readers would be helpful, along with a list of the sites that are a proven problem. I cut code for a living, but I'm not a net guru.

    Thanx

    J.

  63. Anonymous Coward
    Thumb Down

    It's a right mess indeed

    But I think if I got my account emptied because of this I'd expect the bank to refill it again without too much of a quibble. It's hardly my fault if their security is pathetic.

  64. Remy Redert

    For those in the Netherlands, Postbank - pass

    Didn't even bother to check for cookies, it only ever stores username in one and flat out refuses to remember a session. As soon as you close the browser tab/window you are once more logged out.

  65. Alan W. Rateliff, II
    Thumb Down

    Walgreens - FAIL

    All cookies are allowed over any connection type. And this site handles medical information. For shame.

  66. Dr Wheetos
    Stop

    What's the deal?

    > CookieMonster then injects images from insecure (non-https) portions of the protected website

    So that means the vulnerability exists only if the secure site makes an http request. If the site always sends https, including requests for images and other resources, then there is no vulnerability. Agreed this would require a full scan of the site to ensure it was fully secure though.

    There are loads of sites that accept usernames and passwords over an http connection before going to SSL, e.g. web mail apps.

    Stop - because we need to think not panic.

  67. James Butler

    2 Notes

    1) If one must use cookies (instead of SESSIONS) to retain state then use cookies only for very basic, overview-type stuff. Force any transactions to be session-based, and require a secondary login using vendor-supplied credentials. I submit that using cookies of any kind for anything on a sensitive site is foolish.

    2)

    It is amusing that the source shows the following: There are only two conditions under which the injection will be attempted. First, if the packet is part of a request for an HTML resource, and second if the request is being made (for any type of data) by MSIE:

    ...

    # Check accept types for html (Avoid xml, rss, img, etc)

    if "accept" in req.headers and \

    "text/html" in req.headers["accept"] or \

    "MSIE" in user_agent:

    ...

    Righteous.

  68. Marc
    Thumb Up

    Commonwealth Bank = PASS!

    Commbank in Australia seemed to be fine

    Anon because you don't need to know who I bank with :)

  69. Steve Sherlock
    Paris Hilton

    Security "in the open"

    For those who mentioned the times you have to use networks of questionable ethics (internet cafe or what not) if you get a half decent router at home you should be able to set up dial-in VPNs on it.

    Set up a VPN on your laptop or what not and tell it to use the VPN as the default gateway (which is the default iirc) and fire it up when you're on questionable networks.

    Works a treat for me :D

    (And I guess I'll take this belated opportunity to use the paris icon)

  70. Darren Lovell
    Coat

    Now me eat credit card!

    Om nom nom nom!

    Mine's the one with the blue fur and the googly eyes.

  71. Duncan Parkes
    Unhappy

    smile - FAIL

    I'm not smiling.

  72. Anonymous Coward
    Thumb Down

    US Bank - FAIL

    US Bank set 0 of 3 cookies to 'Encrypted connections only'

  73. Anonymous Coward
    Anonymous Coward

    RBC Canada pass

    Type your comment here — plain text only, no HTML

  74. jerry stone
    Thumb Up

    Bank of Nova Scotia Canada passed for me , scotiaonline asked me to log

    on again once cookies were deleted

  75. Robin
    Thumb Down

    President's Choice Financial (Canada) fails.

    All cookies sent are set for Any Connection.

    Tested this and contacted the bank who sent me back a nice form letter about using secure procedures. They didn't mention using Windows is insecure.

    Well I decided to go public.

This topic is closed for new posts.

Other stories you might like