Question time with reverse engineer, Mike Perry

How easily exploitable is the https cookie vulnerability? Do you expect there to have been many accounts hacked this way so far?

I have seen anecdotal accounts of hijacked 'security theater' webmail accounts (such as Yahoo mail) being hijacked on the comments sections of various articles about the tool.

These were likely performed by the 'sidejacking' tool, or similar independently derived method, since my tool has only been shown to a limited number of people, and was even then only in a reliable, working state very shortly before DEFCON.

So yes, people have begun to exploit this vulnerability even though I have delayed my tool from public release.

What information can typically be obtained using the https cookie vulnerability?

The risks are quite large for affected sites, and very frequently run all the way up to complete identity theft and access to financial data. An incomplete list of sites that are vulnerable (including the type of information available) is here.

Have you had any discussions with owners and administrators of large vulnerable sites so far?

The only sites to even respond to my attempts to contact them have been Google, Microsoft, Twitter, and LinkedIn.

LinkedIn has given several indications that they do not intend to provide SSL protection for the ability to edit profiles on the site, and to view user messages. The exact statement I received was that ‘this is an attack against the end-user, not the web application itself’, which I suspect is the attitude many sites seem to have towards this issue.

How have Web sites like Gmail, Facebook and Hotmail been able to get away with this vulnerability in the past?

I think it stems from three factors: lack of awareness on the part of their users, a desire for ‘usability’, and a desire to avoid the expense of providing secured connections to their users.

To their credit, Gmail has been the most proactive about fixing this: in fact they are the only major email provider to offer complete SSL at all. It's just that their multi-service single sign-on system has made it difficult to properly implement this securely. They are working on fixing this, though.

What is your opinion of the security of most popular consumer Web sites?

In general the web is a pretty nasty place. A lot of this stems from the way the web was designed: as an open, stateless, and mostly unauthenticated medium where sites can load content from other sites, refer their users to other sites, and have them execute almost arbitrary actions automatically.

This requires each site to have to do a lot of custom, independent legwork to secure things from this originally open state, and a lot of them end up getting bits and pieces wrong. Sometimes even fundamental pieces that are fully supported in major browsers, such as the cookie issue we see here.

fightingfiresecuritywith