Cookie Theft (SideJacking or Session Hijacking) for Normal People.

Yeah, usually these things are titled “for Dummies”, but you’re not a dummy if you don’t understand, you’re normal. This is related to the program “Firesheep” and I will attempt to make it very easy to understand the problem. The solution is a bit more complex. It all comes down to trust and discretion. Unfortunately the trust part is on the side of social networking sites and webmail providers and you are responsible for discretion.

Imagine you start a new job with a company that uses card readers to grant access to the building. When you apply and get hired the company identifies who you are and gives you a card key to get into the building. From that point on ANYONE with your cardkey can get into the building unless there are other authentication procedures, such as a PIN or fingerprint reader. Another example, you sign up for a discount with a store. You fill out a piece of paper with your name, address and phone number and they give you a magnetic card to swipe each time you make a purchase. Yeah, you can lie, but that card is tied to one person, and still you could give it to someone else or it could be stolen and used.

When you log onto a website that requires a username and password, that is when you tell Facebook, Yahoo, Amazon, or whoever it is who you are. At this point the website gives you a cookie. For the rest of the session the website is constantly looking at the cookie to determine who you are. If someone else has the cookie the website will not know it, but they will trust that it is you and provide the same access that you already have. Make sense? If I lost you, let me know and I will figure out a better way to explain it, but for now I will assume you understand it.

Consider Facebook. You log onto Facebook and give them your username and password. Facebook sends you back a cookie that they will continuously use. Facebook makes sure that anyone can use the cookie also. When you go to make a comment on a friend’s wall Facebook will read the cookie and say “yes, we know who this is” and allow you (or anyone with your cookie) to write the comment. Almost anything you (or someone with your cookie) do requires Facebook to read the cookie, determine it is you (or an imposter) and then carry out your command.

Here is where the problem comes in. When you send your username and password it is encrypted. Nobody else can see what it is, but when Facebook sends you the cookie or reads the cookie it is not encrypted. In a public coffee shop, airport, or many other places that offer free, unencrypted WIFI this means that someone else can also capture the cookie, read it, copy it and use it. The cookie is sent across the air with zero protection other than the wireless encryption (if it is turned on). Anyone can copy it and use it. Once someone else has the cookie they can use it just as if they had your cardkey or shoppers club card. They can access your account, post messages as if they were you, change some aspects of your profile, message your friends, and do many other things. The attacker will not have your password, but anything else you can do without a password they can also do.

This type of attack has long been known, but Firesheep made it easy for people with no technical skills to carry out. The problem of trust is something that the websites bear. They blindly trust without a second means of authentication. If they required the cookie to come from the same IP address each time, then this type of attack would not work. If the cookie was encrypted then this type of attack would not work. But at the moment Facebook and other sites only care that the cookie is present, not who is using it, so the attack is extremely effective and extremely easy.

As for discretion, that is upon you. If you are not on your home computer, not using a VPN, or not using SSL (https) for the whole session, then it is not a good idea to use Facebook, Twitter, Yahoo Mail, Live Mail, LinkedIn, or most other sites. Gmail is an exception, but if you have had your Gmail account for a long time you may need to make sure it is using https all of the time.

Websites that require a password really need to take responsibility and make sure that their sessions are encrypted, but that will be a while. You need to assume that when you use free WIFI that does not require you to log in with a password then everything you enter, including your username and password, is pubic information. Although Facebook encrypts the username and password, lame ISPs, like Comcast often do not.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC