Cookiemonster Attack
   HOME

TheInfoList



Click Here for Items Related To - Cookiemonster Attack
OR:
Cookiemonster Attack on:   [Wikipedia]   [Google]   [Amazon]

The CookieMonster attack is a
man-in-the-middle In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...
exploit where a third party can gain
HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
cookie A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chips, n ...
data when the "Encrypted Sessions Only" property is not properly set. This could allow access to sites with sensitive personal or financial information. It is a
Python Python may refer to: Snakes * Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia ** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia * Python (mythology), a mythical serpent Computing * Python (pro ...
based tool, developed by security researcher Mike Perry. Perry originally announced the vulnerability exploited by CookieMonster on
BugTraq Bugtraq was an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It was a high-volume ...
in 2007. A year later, he demonstrated CookieMonster as a proof of concept tool at Defcon 16. Users of the
World Wide Web The World Wide Web (WWW), commonly known as the Web, is an information system enabling documents and other web resources to be accessed over the Internet. Documents and downloadable media are made available to the network through web se ...
can reduce their exposure to CookieMonster attacks by avoiding websites that are unprotected to these attacks. Certain web browsers make it possible for the user to establish which sites these are. For example, users of the
Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...
browser can go to the Privacy tab in the Preferences window, and click on 'Show Cookies.' For a given site, inspecting the individual cookies for the top level name of the site, and any subdomain names, will reveal if 'Send For: Encrypted connections only,' has been set. If it has, the user can test for the site's vulnerability to CookieMonster attacks by deleting these cookies and visiting the site again. If the site still allows the user in, the site is vulnerable to CookieMonster attacks.


Affected websites

Websites allegedly affected by CookieMonster included: * Google services including:
Gmail Gmail is a free email service provided by Google. As of 2019, it had 1.5 billion active users worldwide. A user typically accesses Gmail in a web browser or the official mobile app. Google also supports the use of email clients via the POP an ...
,
Blogger A blog (a truncation of "weblog") is a discussion or informational website published on the World Wide Web consisting of discrete, often informal diary-style text entries (posts). Posts are typically displayed in reverse chronological order s ...
,
Google Docs Google Docs is an online word processor included as part of the free, web-based Google Docs Editors suite offered by Google, which also includes: Google Sheets, Google Slides, Google Drawings, Google Forms, Google Sites and Google Keep. Google Do ...
,
Google Finance Google Finance is a website focusing on business news and financial information hosted by Google. History Google Finance was first launched by Google on March 21, 2006. The service featured business and enterprise headlines for many corporation ...
and search history * Airline/Travel websites: Southwest, United, Expedia, USAirways.com, priceline.com * Banks: National City, USAA, Patelco, CapitalOne * Domain Registrars:
Register.com Register.com is a domain name registrar. History The company was founded in 1994 as Forman Interactive Corp by brothers Peter and Richard Forman and their brother-in-law, Dan B. Levine as a provider of website creation software. In 1999, the com ...
, namesecure.com * Merchants: eBay, wireless.att.com, Netflix, Newegg


See also

* HTTP cookie § Cookie theft and session hijacking *
Session hijacking In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a ''session key''—to gain unauthorized access to information or services in a computer sys ...


References


External links


Perry's Defcon Presentation
(YouTube) *https://fscked.org/proj/cookiemonster/ActiveHTTPSCookieStealing.pdf - Defcon Presentation slides * http://fscked.org/blog/cookiemonster-core-logic-configuration-and-readmes Web security exploits {{Web-stub