Posted September 11, 2008
A CookieMonster attack is on its way, it is used to gather insecure HTTPS cookies such as web-based services that involves login credentials (email, or online banking). The cookie monster records the https cookies as well as normal http cookies to Firefox cookie files. It turns out that many web sites do not set the "Encrypted Sessions Only" properly, so this allows an attacker to retrieve related cookies. The most crucial part of this cookie moster is that it can still get a list of the insecure domains from every client IP even if you're not using the site at the time. Cookie monster is now available to a limited set of security researchers and will be available to the public shortly.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment