The cookie
replay attack: some vulnerable and secure web services
This attack can be performed by anyone in a few seconds with The Cookie Tools, they have been presented in a recent BFi article you can find here
(in Italian, includes a demonstration with Gmail). This list exists in order to make you aware of this problem, practically ignored. This type of services should be secure by default. If you want to contribute with new entries and updates, mail me at _ michele dot dallachiesa at poste dot it _, with subject "NOSPAM LISTA".
- http://190.it/
- by default the auth is over HTTPS, then HTTP.
- http://www.libero.it/
- by default everything is over HTTP. You can easily sniff user/password, transmitted in clear text. security == 0 !!
- http://mail.lycos.it
- by default everything is over HTTP. You can easily sniff user/password, transmitted in clear text. security == 0 !! but they say: "Lycos Mail: email sicura, affidabile, veloce"... :) they have a "secure" option in the log-in form that seems to do nothing.
- http://www.yahoo.com/
- (not just the Italian version) by default the auth is over HTTPS, then HTTP.
- http://www.hotmail.com/
- (not just the Italian version) by default the auth is over HTTPS, then HTTP.
- http://mail.google.com/
- (not just the Italian version) by default the auth is over HTTPS, then HTTP.
- http://docs.google.com/
- (not just the Italian version) by default the auth is over HTTPS, then HTTP.
Those web services are more secure but still insecure...
- http://poste.it/
- by default everything is over HTTPS. The cookies are set without the Secure flag.
- https://mail.google.com/
- (this is not the default because the default user comes from the log-in form at http://mail.google.com, not https://mail.google.com. Everything is over HTTPS. The cookies are set without the Secure flag. This is a big problem: If you use the Google search engine at http://www.google.com, your browser will transmit some cookies (because the Secure flag was unset)... you can use them to attack Gmail via iGoogle. But this is another story :)
xenion - Thu Dec 13 16:00:29 CET 2007