US-CERT warns of insecure cookies
US-CERT has warned users of a security problem that mostly affects insecure networks, such as WLAN hotspots, and may allow attackers to gain complete control of their victims' accounts. This is not a new or unknown problem; obviously, CERT wants to raise users' awareness in view of recently published tools such as Ferret, which was presented at the last Blackhat Conference and collects information such as session cookies from wireless networks.
While many services, such as Google Mail, offer encrypted authentication, which makes it impossible for eavesdroppers in the network to spy out user access data, and passwords in particular, often no encryption is provided for the actual access to the service due to performance and cost considerations. To assign subsequent access of the web browser to a session, the web site sets a session cookie during log-in, that the browser sends to the server with every page request on that web site.
Attackers who succeed in intercepting such session cookies, may take control of the user's session, may read his e-mails without needing a password and may take any action that does not require renewed password authentication. If the cookie has a long validity and is not invalidated by the web server, for instance during log-off, the attacker may exploit it for a longer period of time. Users of WLAN hotspots are particularly affected, since anybody in the same wireless network can spy out files that have been transmitted without encryption. Fixed networks are, however, also vulnerable; attackers who are connected to the same switch may, for instance, use ARP spoofing to intercept the network traffic.
According to US-CERT, the web sites of Microsoft, Google and Yahoo are particularly vulnerable; at the moment it is not clear if eBay and Myspace are also affected. There are various techniques that provide protection against this kind of attack. One turnaround is to couple a session to an IP address, as is done in the Heise Forum. This will, however, not hold off attackers behind the same NAT router; they will appear to the web server with the same IP address -- namely the one of the router -- anyway.
Encrypting the complete session is the only means to ensure real and complete protection. If the service provider does not offer such protection, hotspot users can, for instance, protect themselves against eavesdroppers in the network by routing their whole traffic through a VPN tunnel. Although this does not protect the transmission path from the VPN end point to the web server, attackers would need access to the provider's infrastructure or the backbone to intercept other users' traffic.
- Web sites may transmit authentication tokens unencrypted, US-CERT vulnerability note