Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 10th, 2008

New Tool To Be Released Can Steal Authentication Credentials Through Encrypted Secure Channels

New tool that can steal users authentication credentials makes websites used for email, banking, e-commerce and other sensitive applications less secure, even when they’re sent through supposedly secure channels.

The toolkit, named CookieMonster, is used in a variety of man-in-the-middle scenarios to trick a victim’s browser into turning over the authentication cookies used to gain access to user account sections of a website. Unlike an attack method known as sidejacking, it works with vulnerable websites even when a user’s browsing session is encrypted from start to finish using the secure sockets layer (SSL) protocol.

The vulnerability stems from website developers’ failure to designate authentication cookies as secure. On such websites, web browsers are free to send data over insecure http channel, and that’s what CookieMonster causes the browsers to do. It does this by caching all DNS responses and then monitoring hostnames that use port 443 to connect to one of the domain names stored there. CookieMonster then injects images from insecure non-https portions of the protected website, which makes the browser send the authentication cookie.

CookieMonster is currently in the hands of only about 225 security professionals. In the next couple weeks, the tool will become generally available. According to Mike Perry, the creator of CookieMonster, websites that appear to be vulnerable to the attack include,,,, and a host of other big-name online destinations. Errata Security’s Rob Graham, who introduced Sidejacking tools a little more than a year ago, says Gmail is not vulnerable as long as a recently implemented https-only option is turned on. But Google Docs, Google’s and Google Finance remain wide open.

More details about the tool can be found here.

Share this item with others:

More on CyberInsecure:
  • Google Adds User Enabled HTTPS Secure Connections Into GMail
  • Android Market Security Update Released By Google Contained Mobile Trojan
  • Another Hole Discovered In Secure Sockets Layer (SSL)
  • Updated Blackmailer Virus Gpcode Encrypts User Data And Demands Payment For Decryption
  • New Sniffer Can Attack VoIP Users

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Tool To Be Released Can Steal Authentication Credentials Through Encrypted Secure Channels

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.