The Web is a pretty nasty place, according to reverse engineer and privacy advocate Mike Perry -- and he should know.
At underground hacker convention DEFCON last month, Perry revealed vulnerabilities in cookies used by sites such as Gmail, Facebook and LinkedIn.
As if publicising the security flaws isn’t enough, Perry will be releasing an automated hacking tool that exploits them.
The self-proclaimed 'mad computer scientist' spoke with iTnews about the vulnerability, his plans, and the online security landscape.
What security issues will be exposed with the release of your https hacking tool?
There are actually two vulnerabilities here. The first is that many sites do not secure their content via https past the initial login page. This allows an attacker to steal their users' cookies and impersonate them on the local network whenever they use the site.
A tool to do this (Robert Graham's 'Hampster') has been circulating for a year, but there has been no response from the major sites.
The second vulnerability is that many sites that do use https past the login page but do not mark their cookies as 'secure'. This is what allows an attacker to induce their browser to transmit these cookies over unsecured, regular http connections so they can observe them and impersonate the user.
Why are you releasing your https hacking tool to the public?
There are two issues I am trying to tackle here. One is to launch a more direct assault against the trend towards 'security theater' -- providing the show of security to people while not actually protecting them at all.
This is exactly what websites exposed to the first vulnerability are doing, and have been doing in the face of a publicly available exploit for over a year.
The second goal is to ensure that the second vulnerability is well publicised and well understood - because it is a subtle one that even many web developers do not consider.
Both of these goals have required the threat of an automated tool to really make any progress towards addressing.
Again, I waited a full year after announcing the vulnerability without a proof of concept exploit, and nothing happened. It was only the existence of and the threat of release of the tool that has caused things to move forward.
When will the tool be released?
I am still continuing to wait a limited time while major sites (such as Google and Microsoft) continue to work on fixing the issue.
However, eventually we'll reach the point at which the major sites that intend to fix the issue have done so, and all we have left are sites that have no intention of investing in the security of their users, or at least no intention of doing so in a timely fashion.
At this point, I will make the tool more widely available, and attempt to use the publicity to encourage people to move away from these sites towards their more secure counterparts.
Question time with reverse engineer, Mike Perry
By Liz Tay on Sep 10, 2008 2:42PM