Researchers point out dangers of ‘cookie hijacking’ despite https

By admin On Aug 5, 2016

Spread the love

Two researchers from the Universities of Illinois and Columbia showed at the Black Hat conference that cookie stealing is still a big problem. A lot of sensitive data can be seen through such an attack, and https is only a partial solution.

Stealing a cookie via an unsecured http connection is fairly easy, say researchers Suphannee Sivakorn and Jason Polakis. For example, by monitoring a public Wi-Fi hotspot in a cafe with tools such as Wireshark and tcpdump. They state that cookie hijacking is not a new phenomenon, but that it still causes problems. For example, only half of the internet uses a secure https connection.

In addition, an encrypted connection does not offer complete protection against the interception of cookies. In some cases, a browser first connects to a site via http, after which the server replies that an https connection is also possible. After that, the connection is continued via https. However, a cookie is already exchanged during the first part of the connection setup, so that it can still be intercepted.

In their previously published research, the scientists focused on the 25 most popular sites on the Internet. Of these, 15 use https, showing that the technology is not yet ubiquitous. Even a presentation on Black Hat’s internal network revealed that most outbound connections were via http, which raised some questions. For example, many of the major sites support personalization over an unsecured connection. By stealing a cookie, this personalized version of the site can be viewed, revealing a large amount of sensitive data.

By connecting to the server with a stolen cookie, both via http and https, the researchers at search engines such as Google, Bing and Yahoo were able to retrieve the victim’s email address, profile picture and first and last name, for example. In addition, it was possible to view the search history, visited pages and saved locations. In the case of Yahoo, it was also possible to view titles and a summary of emails, export contacts and send emails from the victim’s account.

Major online stores like eBay, Target, Walmart, and Amazon all support https, but only for part of the site. For example for logins and account pages. Other parts, such as the shopping cart and purchased products, are offered via an unsecured connection. As a result, this data can be viewed in combination with username and e-mail. In the case of eBay, it was possible to find out the full shipping address. By monitoring 15 percent of Columbia University’s Wi-Fi network for a month, the researchers eventually identified 282,000 vulnerable accounts.

The findings also have implications for the Tor network, the scientists said. By monitoring an exit node with permission for thirty days, it turned out that about three quarters of all traffic went via http. They could not measure cookies for privacy reasons, but based on the percentage of unsecured traffic it can be assumed that a large part of the users is vulnerable.

A possible solution to this problem is hsts. This ensures that the server tells the browser that it is only using an https connection. However, this technique only works properly if all subdomains of a website can be accessed via https. However, this does not always happen, account.google.com could be accessed via https, but google.com/account could not. Google has solved this in the last five days, according to the researchers. Also, many sites have large sections with legacy systems, leaving those sections unsecured.

The scientists warned the companies concerned in November, after which some companies took action. Other companies said, among other things, that ‘the new applications will be secure’ and that ‘risks like this just have to be accepted’. One possible solution for users is to install the https everywhere extension from the Electronic Frontier Foundation. However, the researchers note that this does not always work and sometimes causes problems with certain sites.