Cookies...yummy or deadly?

Discussion in 'privacy general' started by ssj100, Jul 10, 2009.

Thread Status:
Not open for further replies.
  1. arran
    Offline

    arran Registered Member

    I don't need to worry about ways to clean out flash cookies, because I use Malware Defender to block them from being created in the first place. hence my flash cookies always remain at 0. :D
  2. m00nbl00d
    Offline

    m00nbl00d Registered Member

    As I said at the very beginning, for what I understand of cookies, and I thought I had mentioned it, they will tag you with an identification. That's why, for example, Amazon remembers Rmus and his preferences.

    You shouldn't be concerned if a malware site "knows" you've been there. You should worry, though, if they know you've been at other websites, such as your on-line bank account, etc. The problem are not cookies (because some are useful, as you said), rather the called tracking cookies.

    Then, you've got third-party cookies. Say, you visit www.wilderssecurity.com, and there are plenty contents here, like images, etc and they all come from outside the domain, you'll, probably, end up allowing other folks cookies, as well, without any need or use. So, cookies aren't useful most of the time, and I actually consider most of them an abuse to our privacy.

    So, while www.wilderssecurity.com cookies would be useful for you to be remembered, cookies from domain B, C, D, E, F, etc aren't. They are of no use.

    You're here at www.wilderssecurity.com, and there's an advertisement, in the form of a banner, say. If no protection is set against third-party cookies, then a cookie will be stored. If you go to some other site, forum, etc, sharing banners from the same servers, considering that a cookie has been previously set, that server will know you've been here, at some other site, at some other forum, etc.

    Why should anyone else but www.wilderssecurity.com know you've here?

    Is like going to shopping, right? Who cares if the X shop knows you bought Y product? Makes sense, you bought it there, after all. But, does that mean that every other shop, sharing the same sponsor (the advertisement banner), would have to know that I've been at shop X, buying Y product?
    I don't think so.


    But, that's how I feel. ;)
  3. funkydude
    Offline

    funkydude Registered Member

    Why the hell would I install an additional program that:

    1. Is supposed to block malware, cookies aren't malware
    2. Uses resources
    3. Isn't needed whatsoever.

    Flash settings, like firefox, have a default function to block flash cookies. So here I go.

    "I don't need to worry about ways to clean out flash cookies, because I've blocked them in the settings manager from being created in the first place. hence my flash cookies always remain at 0. :D"
  4. Keyboard_Commando
    Offline

    Keyboard_Commando Registered Member

  5. funkydude
    Offline

    funkydude Registered Member

  6. funkydude
    Offline

    funkydude Registered Member

    These cookies have no function whatsoever, and so far, I haven't found anything flash based that isn't working properly with them blocked, they seem pointless to me.
  7. Keyboard_Commando
    Offline

    Keyboard_Commando Registered Member

    ssj100

    I think the people at risk are those following mass trends ... Users of Twitter, Youtube, Myspace, Facebook, these are obvious places that scripting dangers are going to be lurking. They're todays honeypots.
  8. Keyboard_Commando
    Offline

    Keyboard_Commando Registered Member

    Well I noticed lately with Youtube people are scripting a link to appear whilst playing clips "Go to this site to see the HD version" or "See more of this artist here" have you noticed that too? I haven't placed a clip on Youtube so I have no idea how its done. But I am pretty sure this could be exploited to run all kinds of trouble.
  9. trismegistos
    Offline

    trismegistos Registered Member

    Cookies are privacy risks but can be financially dangerous(he he) if you do online banking or buying.

    Examples:
    http://hackademix.net/2008/09/10/noscript-vs-insecure-cookies/

    http://www.nist.org/news.php?extend.176
    quote:
    Phishing schemes are about to get a whole lot easier. Targeted attacks are much more likely to work now than ever before. Cookies stored on your computer can be retrieved by bad guys half a world away. Even big search engine companies like Google and Yahoo are shaking in their boots. What happened? The bad guys have discovered Cross-Site Scripting (XSS) and the Internet has sudden become a lot more dangerous...
    Through the magic of Cross-Site Scripting (XSS) even professional security people will have a hard time recognizing a phishing message. XSS also allows for the theft of cookies, and thus personal information and possibly passwords, stored on your computer.
    ---end of quote---
    Below is an old exploit of a vulnerability quickly patched concerning "hacking hotmail account". Vulnerabilities will be discovered and that old exploit will be used against everyone by stealing a victim's cookies... http://www.exploitx.com/132/hacking-hotmail/
    quote:
    This exploit is using the cookie from hotmail.msn.com to access the ‘victims’ inbox. Because the cookie is not limited to the domain hotmail.msn.com, I can also use an exploit on the site msn.com to steal the cookie from the victim. When I searched msn.com for an exploit called “HTML Injection” or “Cross Site Scripting” (XSS), it took me about 30 minutes to find one. With this exploit type I’m able to insert additional pieces of html or javascript into a page of msn.com. When I insert the code: , the user will see a message box just like the picture below when he visits that site.

    The real HTML injection example with popup can be viewed at:[removed]

    With the text you can see in the “alert message-box” above, everybody with some knowledge is able to access my inbox. This text is send by my browser to hotmail every time I visit a site with the domain “msn.com”. This method is used so hotmail knows I am still logged in. The text in the popup is called a “cookie”. A trick used by attackers is to fake somebody else’s cookie. I will explain one easy method, although there are different ways of doing it. I can fake cookies with a helper program called “Proxomitron”.
    ---end of quote---
  10. trismegistos
    Offline

    trismegistos Registered Member

    How I wish every jane and john doe doing online purchases will be as tech savy as you. M:)
  11. Rmus
    Offline

    Rmus Exploit Analyst

    Actually, they know my entire purchasing history even without a cookie, since for more years than I can remember, I've purchased there with a debit card, meaning that my account will have a record of everything. What does it matter? All the stored cookie does is identify me upon connecting to the page. BTW - a password is still required to access my account. Having the cookie does not provide that information. The main site is HTTP. When I click on "My Account" I am taken to a secure HTTPS site with a login box. Every site handles these things differently, and it's imperative to find out how these thing work before you set up an account, so that you understand and are aware of the site's procedures.

    In another example, my local library knows everything I've checked out since I applied for a card years ago. So what? There are government agencies that know more about me than a web cookie will ever provide. From where I'm sitting, this is all much ado about nothing -- speaking only for myself, of course.

    Are you talking about persistent or non-persistent XSS? There certainly have been some sensational examples of the latter, but in each case, the specific circumstances would not have applied to me at all.

    As far as man-in-the-middle attack -- mentioned in one the links cited in another post here -- so many unique factors have to be in place in my case -- very common on local wired and wireless networks which I do not use.

    As far as the sensational cookies and web email exploits - guessing user information, etc -- again, so many specific factors have to be present, such as using this type of email in the first place.

    I realize that it's a bit self-serving, but over the years I found that I can be responsible only for myself and those in my sphere of influence -- those I've helped set up a system. I just don't encounter the situations that have been reported in the media. These sensationalized stories help sell products, of course, and make for interesting reading, but as a security-minded person who takes the time to dig beneath all of this, I find that establishing secure policies and procedures at the user level takes care of most everything!

    Autorun.inf vulnerability is a perfect example. But that's been discussed in another thread.

    ----
    rich
  12. Fly
    Offline

    Fly Registered Member

    I know people who allow third-party cookies/tracking cookies without care, without noticable problems.

    Still, I see no reason to allow them.

    I use IE 7, allowing direct cookies, blocking indirect cookies, box for session cookies unticked. Yet, there are ways around this to place tracking cookies on my computer, but with my setup I block at least 99%.

    Much more tricky are 'web bugs', sometimes called 'web beacons', which can be used to track people, and are impossible to avoid (by the average user).
  13. cqpreson
    Offline

    cqpreson Registered Member

    I see all you said.But in the eyes of me,cookies is just a web page which has your symbol.So they are not bad.We should allow them.If we demand security,we only need to allow cookies which come form our allowable websites.It is just enough.
  14. arran
    Offline

    arran Registered Member

    I never said you should install MD, I was just saying that it is a method I use.


    True there is more web bugs out there than what most people think, I do look at my admuncher logs occasionally and there is always web bugs which it has blocked. I also have no script blocking them if admuncher misses any.
  15. trismegistos
    Offline

    trismegistos Registered Member

    Active contents on webpages can find lots of ways to harvest cookies. Another thing to consider is the favorite icons or favicons. Favicons is also used to track user and set cookies aside from the web bugs.

    A workaround will be Proxomitron with filters like from altosax... http://prxbx.com/download/Configs/Altosax.zip

    A healthy paranoia is a good thing but too much is bad. Awareness that these things happen is good and one should not debunked that these are simply overstated and profit-motive. We may never know the minds of these evil profiteering rings of cybercriminals all over cyberspace.
    Last edited: Jul 11, 2009
  16. Rmus
    Offline

    Rmus Exploit Analyst

    Hello trismegistos,

    Interesting stuff! (some new to me)

    I was discussing what I wrote for this this thread yesterday with a friend who was interested in how cookies work. She uses Opera 9.64 as I do and has configured cookies as I've suggested. I just ran the GRC cookie test here:

    http://www.grc.com/cookies/forensics.htm

    and these are my results:

    cookieTest.gif

    Can I assure her that she is protected from the things you talk about?

    thanks,

    rich
Thread Status:
Not open for further replies.