Even though the vulnerability and easy exploitation online services have been well known since 2007, the lack of mainstream tech media coverage has allowed the online industry to sweep the problem under the rug for the past 3 years. Now that the problem can no longer be ignored because anyone can use the attack to steal other people’s account, I’m going to create an online services report card that will be updated over time. Look below Figure 1 to see basic definitions of the various types of security breaches.
What are authentication cookies?
To save you the trouble of having to sign in with username and password every time you visit a website, websites use temporary (typically expires in days) authentication cookies that are automatically pulled from your cookie database and set to the server. When the cookies expire, the user is prompted to type in their username and password which is often saved by the web browser.
When you sign in with your username and password, the secure way to do this is when there is an “HTTPS” in front of the website and the certificate is verified by authorities like Verisign. Your browser and operating system will keep a list of trusted Certificate Authorities (CA) and it will warn you when you visit a site that is signed by an untrusted CA.
Many websites don’t bother doing this and it makes it easy for someone to steal your username and password by putting up a fake hotspot and fake website. This type of attack is very dangerous to consumers but it requires the attacker to perform an active attack which carries some small risk of being caught if authorities triangulate their wireless signal. But in reality, there aren’t many resources allocated to tracking down this kind of attack, and the attack can be launched from a self contained box which vastly reduces risk for the attacker.
I and many other security experts have been hammering the U.S. banking industry since 2006 for failure to use SSL authentication and they finally fixed the problem years later. Unfortunately, websites like Twitter and Facebook still haven’t learned.
SSL browsing support
When you’re browsing a website without SSL (when the address bar reads HTTP and not HTTPS), anyone can see what you’re browsing. If this is Yahoo mail for example, people can read the messages you have loaded on the screen but they can’t go in and read other messages you’re not reading and they can’t send mail as you.
A partial sidejacking is where an attacker can get authentication cookies that allow them limited access to a user’s account. For example, Google.com allows an attacker to browse the websites as the victim and attackers can see on Google maps saved addresses (including home address). The same problem affects Yahoo but the attacker can’t access things like email.
A full sidejacking happens when the attacker can gain access to everything short of the username and password. On Facebook, they can log in to Facebook as the victim and see all private data and even send or post messages on behalf of the victim. The attacker usually can’t reset the password because sites like Facebook will ask for the old password to reset to a new password.
This is where an attacker gains access to the user’s username and password. At this point, the attacker can do anything they want with the user’s data and account. It is notable that attacking non-SSL protected protocols like POP3, SMTP, IMAP, and FTP are even easier because they can be done passively which is completely undetectable. The attack is so simple that security conferences like DEFCON has an annual “Wall of Sheep“. Attacking websites that fail to employ SSL authentication requires an active attack where the attacker has to set up a fake but realistic looking login page.
[Cross-posted at Digital Society]