LAS VEGAS—There’s been an abundance of attacks against crypto over the last few years but a much simpler, scarier threat, cookie hijacking, remains significantly overlooked in the eyes of researchers.
Two academics, Suphannee Sivakorn, a PhD student at Columbia University, and Jason Polakis, an assistant professor at the University of Illinois discussed just how woefully inadequate the encryption protecting some services is in a talk at Black Hat Thursday.
The pair studied 25 popular websites, from search engines such as Google, Yahoo, and Bing, to news sites such as the Huffington Post, MSN, and the New York Times. Fifteen of the sites supported HTTPS but not universally. Many of them offer personalization over HTTP, something that can lead to complicated interoperability and flawed access control, according to Sivakorn and Polakis.
“Companies spend time fixing bugs like CSRF vulnerabilities, but overlook something that’s so obvious,” Polakis said during the talk.
The session borrowed heavily from a research paper the two published earlier this year, “The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information,” (.PDF) along with Angelos Keromytis, an associate professor in the Computer Science department at Columbia University.
The two described how they eavesdropped on WiFi traffic and used run of the mill hacker tools like Wireshark and Tcpdump, to extract cookies from the connection.
On sites such as Yahoo it was easy to sniff user information such as users’ emails, profile photos, and visited history. They demonstrated how they could see email notification titles, snippets, and extract a contact list. On shopping sites such as Amazon, eBay, and Target, HTTPS is implemented but only for the login and checkout options. An attacker could glean a shoppers’ username or email and use it to facilitate spam and phishing attacks. It could be possible to modify items in a customers’ cart or view past purchases. On eBay an attacker could even view a customer’s full shopping address.
Polakis and Sivakorn monitored 15 percent of Columbia University’s WiFi for a month to see if users behave differently on WiFi. The result? Large-scale cookie exposure; roughly 282,000 vulnerable accounts collected over the course of 30 days.
They followed that up by looking at a fresh Tor exit node for 30 days. They opted for a less invasive experiment and aggregated statistics instead of collecting cookies: 75 percent of the connections they noticed were made over HTTP.
“We have no idea how many cookies were exposed but it’s safe to say it was probably a lot,” Polakis said, adding that the experiment could lay the foundation for a practical de-anonymization attack.
They sent detailed reports to the services last November but mostly received responses back confirming the behavior was either known about or the result of old, legacy systems. One service told the researchers that cookie hijacking “is expected” while another called the issue “invalid, as it is an accepted business risk.”
Polakis and Sivakorn insist mechanisms such as HTTPS Everywhere and HSTS can help prevent cookie hijacking attacks but have their drawbacks.
Rule-sets for HTTPS Everywhere don’t offer complete coverage and also contain human errors, Polakis said. In an experiment they carried out over 77 percent of traffic they collected would remain over HTTP even if HTTPS Everywhere was installed.
“[HTTPS Everywhere] does help, everyone should add it but know that it has its limitations,” Polakis said.
Google announced last week that it was rolling out HTTP Strict Transport Security, or HSTS, on the Google domain as an extra layer for users on less secure HTTP connections but Polakis says its still in the testing phase.
“Eventually this attack won’t be possible but if you can get access to the cookie, it still works, we tested it.” Polakis said, “It just might be tougher to get the cookie through sniffing.”