Question & Answer
Does IBM Security Systems provide any coverage for the CookieMonster hacking tool?
A small oversight in the way secure cookies are being configured by some major websites, such as mail, Facebook, Yahoo Mail, Hotmail, many on-line retailers and even some on-line banks, is allowing a new hacking tool on the web called CookieMonster to hijack users accounts. The program relies on several commonly used hacking techniques to seamlessly steal a user's improperly handled HTTPS cookies.
The entire exploit is based around the fact that many sites using SSL only support SSL partially, be it out of an oversight or as a choice to save on costs. The SSL bit in transmitted data is seldom used, for example, and in the case of a cookie file, this lack of security can result in a loss of personal security. Cookie theft is not something that can reasonably be identified at the network layer. There is no way to determine that a packet with a given HTTP session token is valid for that HTTP session. The same weakness that makes this attack possible is what also makes it difficult (if not impossible) to detect.
Cookie theft does not involve exploiting a specific vulnerability. This issue arises because HTTP is a stateless protocol. There is no way for it to determine which IP address maps to which HTTP session. So, web developers almost always use some form of session token. This usually comes in the form of a cookie or unique session identifier in the URL. If someone is able to get your unique identifier, they can make a request to the web app using the same identifier and see your session.
Unfortunately, there is nothing a web developer can do to completely remove the potential for this attack in a web app. There are some steps that can be taken to reduce the likelihood of attack. For example, cookies that are used for web sessions that could expose sensitive information should be transmitted over HTTPS, and set the secure flag so they cannot accidentally be sent in clear text. Additionally, they can set the timeout on the session cookies to be the smallest logical value for their particular application. This way, if a cookie is stolen, it will have to be used very quickly, or it becomes useless.
16 June 2018