Any server can read all your IE cookies.
May 11, 2000 11:31 AM   Subscribe

Any server can read all your IE cookies. From any domain. Anyone. I was just explaing to my folks that the reason cookies are (generally) safe is that this was NOT possible. Well, it's possible now.
posted by ericost (32 comments total)
 
Oh no, now everyone's going to hack into my Hotmail account and read all my spam.

lz.
posted by lzealand at 11:38 AM on May 11, 2000


This is very very bad. It would be easy to grab info for every visitor to my sight and dump this stuff into a database without them knowing. The media lives for things like this.

Let the hysteria begin!


posted by y6y6y6 at 11:49 AM on May 11, 2000


Actually, the cookies aren't retrieveable on the server-side, only on client-side. So, you'd have to get them on the client-side, and then submit a form somehow back to the server to actually store any info.
posted by fil! at 12:11 PM on May 11, 2000


You're right, fil!, but since innocent-looking text links can actually be form submits, even savvy users could get fucked. Example exploit (via Slashdot, natch): this link will submit a post to Slashdot using your username, if you've got a login cookie.
posted by lbergstr at 12:22 PM on May 11, 2000


True, but that is a trivial step. If you have the skills to script the retrieval of the cookies on the client, you have the skills to get that data back to the server.
posted by ericost at 12:22 PM on May 11, 2000


Okay, so is this something I should worry about, or is this overblown?
posted by solistrato at 12:23 PM on May 11, 2000


If you use IE, I'd worry. Any site you go to now could theoretically be stealing logins to your personal tools.

This is an incredibly irresponsible thing to have let out the door. And it's almost painfully stupid. The URL required to use this exploit is a real URL, right? Cept they've used the escape codes for slashes instead of the actual slash. But IE obviously knows what the domain name is -- they had to open up a connection to that site and request the file. One part of IE knows that the page came from malicioushacker.com and one doesn't? That's idiotic.

Microsoft spends all this time and money building these scriptable applications that can talk back and forth to each other, allowing for such lovely things as the Iloveyou exploit, and yet they can't even get their browser talking to itself.

MMMmmMMM good programming practices!
posted by benbrown at 12:30 PM on May 11, 2000


I was a bit unclear in my explanation of how the thing works in that last message. You should read the peacefire thing.

A very basic explanation is that IE is getting tricked into thinking that a URL is from another server by making the url look something like this:

www.benbrown.com%2f/stealcookiesfrom%2famazon.com

So some part of IE is so so stupid that it looks at that last bit, amazon.com, and even though it KNOWS that it just loaded a page off of benbrown.com, it says, hey, ok, it's from amazon! It's a simple parsing error which absolutely should not occur.
posted by benbrown at 12:33 PM on May 11, 2000


A while ago I ranted because I could not set a cookie in Netscape that could be retrieved at both "http://glish.com" AND "http://www.glish.com." It is possible in IE, which is not in keeping with rfc2109, and which is also the cause of this new exploit. I have learned a lesson.
posted by ericost at 12:45 PM on May 11, 2000


"Any site you go to now could theoretically be stealing logins to your personal tools. "

That's a bit misleading. There's no reason for a site to store your login or password in a cookie. That would be very silly. I know what you mean though.

They can get the long string of characters that most sites use to identify users. They could then hack up a cookie file and look at your personal page.

They can't see anything that you wouldn't see from (for instance) your My Yahoo page. The examples listed at the bottom of the linked page are probably the worst you'll find.

A good thing to do right now (if you don't want to turn off Javascript) wiuld be to just delete your cookie files.
posted by y6y6y6 at 1:14 PM on May 11, 2000


y6y6y6, but what if you check "remember me" at yahoo.com? or blogger.com? All they do then is check for the existence of a cookie with a valid ID value, and you are on. That is common practice, no?
posted by ericost at 1:19 PM on May 11, 2000


Ericost - good point you make about the"remember me" feature on sites. I reckon it is the sites responsibility to protect from stuff like this...a stupid thing to put in IE in the first place of course, but I think sites, if they get caught out by an individual exploiting the feature, should face some music too.
posted by tomcosgrave at 1:26 PM on May 11, 2000


"That is common practice, no?"

Yes. They would be able to get to your account. I was splitting hairs. They could even change your password. But they wouldn't be able to get your old password.

I don't know about other on-line mail services, my My Excite makes me enter a password everytime I want to see my mail. This exploit wouldn't allow you to see my mail there.

"it is the sites responsibility to protect from stuff like this"

I think not. The ONLY way they would be able to do that is to make you log in every time. How where you thinking sites would go about protecting against this? I don't see how it could be done.
posted by y6y6y6 at 1:40 PM on May 11, 2000


This goes a bit deeper than, "Well, poop. Looks like someone else can access my spam on Hotmail." In the really real world, Joe User is a naughty lil' boy and uses the same password for everything. No, he doesn't change it every 2 weeks, either.

So if someone accesses his Amazon.com password or his Hotmail.com password, then chances are it is the same as his Citibank.com or FirstUnion.com password.

Is Joe User getting his just deserts for not playing "Musical Passwords?" Perhaps.

But that doesn't excuse Microsoft's neglectful oversight.
posted by furled at 2:35 PM on May 11, 2000


furled, no sites that I know of store unencrypted passwords in a cookie file. Usually the only thing that is stored is a unique ID that may log you on to only the system that planted the cookie. It is still a dreadfully serious security hole.
posted by ericost at 3:01 PM on May 11, 2000


Since you brought it up furled, I'd like to take a sec to gripe about login/passwords...

The growing number of sites that require you to register with a login and password is really dragging down the quality of my online experiences. Between all my various email accounts, three passwords at work, my SSN, SO's SSN, PINs, etc., I already feel burdened by the amount of information I have to keep straight. And then, it seems like every time I want to buy something online, the stores require me to create a login and password on their site just to shop there. Of course, my preferred login names are always taken or too long, so I wind up with 25 completely different login/password sets. And as for the NY Times-- register if I want to read anything on their site?-- NO WAY. It's just not worth it.

Maybe this should be another thread, but I _know_ there's got to be a better way to do this and I'd love to see some conversation on the topic.
posted by wiremommy at 3:19 PM on May 11, 2000


To prove how serious the cookie hole in IE is, I have set up the following demonstration. You must be using IE, and have checked "remember me" when you logged on to Blogger, or have logged on (and not off) to Blogger in your current browser session.
  1. Go create a new account at http://blogger.com (unless you want me to mess with your real account), check "rememeber me" when you log on.
  2. Create a new blog, enter you FTP password if you want me to be able to actually publish changes I make.
  3. Add a blog entry that says you want me (Eric Costello) to add an entry to prove I was there.
  4. Go to http://www.glish.com/cookies.html.
I will get your cookie info and will soon have access to your blog.

I have confirmed this works by hacking into pixelpony's blog.
posted by ericost at 3:26 PM on May 11, 2000


Metafilter remembers my password; guess I should fire up Netscape instead of IE :)
posted by Ned at 3:31 PM on May 11, 2000


I thought the NY times had a way around the Username and login. Something like partners.nytimes.com in place of www.
This is from Robotwisdom explaining the log in. That is of course if you really want to read the NY Times.
posted by brent at 3:33 PM on May 11, 2000


Wiremom: there is an answer. It's called Public Key Cryptography. You can't have it, since RSA still holds patents on the algorithms.

Sorry.
posted by baylink at 3:36 PM on May 11, 2000


On the other hand, those patents are expiring soon--the original Diffie-Hellman paper, which predates the RSA algorithm was published in 1976. And since RSA-the-company has made claims about how the Diffie-Hellman patent protects all uses of public key crypto, I imagine the converse has also gotta be true; when D-H's patent goes, public key cryptography becomes public domain.
posted by snarkout at 3:57 PM on May 11, 2000


Wait -- I thought PGP/GPG were in the clear, legally. I'm wrong?
posted by lbergstr at 4:01 PM on May 11, 2000


as matt will confirm and as you can see if you view your metafilter cookie, the password is encrypted. it wouldnt prevent someone from stealing your cookie and posting as you, but they wouldnt know your password.
posted by sikk at 5:31 PM on May 11, 2000


Wiremommy - Some friends of mine use Gator - software that fills out registration forms for you, remembers all your passwords and IDs, encrypts data and more. I don't pretend to know a lot about it but it may be worth checking into - I'm tired of sticking post- it notes to the side of my computer.
posted by the webmistress at 5:35 PM on May 11, 2000


I *knew* there was a good reason that I use Opera. Sure, a handfull of the 5K design entries wouldn't work for me, but at least my cookies are safe in their jar...
posted by CalvinTheBold at 7:18 PM on May 11, 2000


personally as big of an issue as it is, major sites or anything you would have to worry about that use cookies shouldnt really affect you. cookies in theory shouldnt store your password to an ecommerce site. they shouldnt store credit card info, none of that. so even though its somewhat a breach of security, any major site storing info in cookies shouldnt be storing any data that is worth anything.
posted by sikk at 8:42 PM on May 11, 2000


So far I have accessed 4 blogger accounts using this security hole. With permision of course, but if I was malicious, I could have included in this very comment a script that would have given me the cookie of the next person with a blogger account that viewed this page. It is a serious hole, sikk. What about amazon one-click purchases? What about Pyra's project management system? Many online applications only require a cookie to log a user on, and once I can get your cookie, it is trivial to impersonate you to such an app.
posted by ericost at 9:44 PM on May 11, 2000


I agree with eric. It's a bloody big hole (and why, as of today, I going to stop using IE).
Think about it this way; if eric had posted his script (javascript?) on metafilter to e-mail him those cookies, he could then be posting as me. The thought that he could then perhaps log onto the place where I bought my domain name, change the DNS settings and fuck over my site, log onto eBay and sell my stuff (legally forcing me into the sale) scares the crap out of me.
This is big. Very, very, very big.
Eeeep.
posted by Neale at 10:51 PM on May 11, 2000


Yes, all the more so because so many desktop applications -- from calendaring to project management to website publishing -- are moving to the web. I trust Microsoft will close this one quickly ... but it would be nice if they'd post something about it for their customers ...
posted by dhartung at 10:51 AM on May 12, 2000


I'm very surprised that this isn't getting more mainstream press. Here's a scenario:

1) People will start yelling when they find people messing with their Amazon accounts.
2) They accuse Amazon of having a huge security hole
3) Amazon counters that they are using a buggy browser and they have no control over it.
4) MS gets sued because they knew about the bug, but never made any attempt to alert their customers.

Sounds like a serious class action suit to me.
posted by y6y6y6 at 11:49 AM on May 12, 2000


For the record, Microsoft "responded" to the concerns today, the first day it was officially in the media. For all the inattention to security they give in planning, they are pretty good about patching holes nowadays.
posted by dhartung at 2:24 PM on May 12, 2000


Um, y'all could go out an buy a Mac . . . .

Then this, and the I Love You thing, and bunches of other maladies wouldn't bother you.
posted by aladfar at 9:59 PM on May 12, 2000


« Older Even Gnutella's   |   And from the "No Good Deed Goes Unpunished" file Newer »


This thread has been archived and is closed to new comments