Cookie Hijacking for Idiots: A Layman’s Guide

Being an IT professional in a sea of non-IT friends, I do get asked from time to time about security. And although I could bang on for hours about things like basic password security, RSA encryption, the inherent weakness of a PIN, and a brief history of the Enigma code, I know their eyes would gloss over in the first few minutes and that most of it would be lost. So instead I think I’ll type up a piece on those dirty motherfuckers stealing your cookies.

Let’s say you’re out in public, on a wireless network. You have your laptop and you go and log in to Facebook (for the purposes of this discussion, they haven’t forced the HTTPS setting yet, we’ll get to that later) to tell the world about what a wonderful day it is. And when you log in the next day, you find that your wall is covered in homophobic rants, from you, as well as angry replies from female friends who didn’t care for your constant requests for them to sent pictures of their goods to you. You may have been drunk, of course, but more likely you just had your cookies intercepted.

This happens because of a common and basic flaw with small network security, which is that it may have been operating in Promiscuous Mode, which means that… well let’s use an example. Say you live on a street and you’re out by your mailbox one day when the mailman comes by. He isn’t especially bright, and looks at each piece of mail and compares it to each mailbox, and asks each mailbox “Is this yours?!” until one mailbox gains sentience and eventually says “yes goddammit, now hand it over.” He then does the same with the next letter, and so on. But you, standing out there, know he’s not especially bright. So as he walks up after handing the letter to one box, you say “Hey, uh… can I get a copy of that too?” “YOU SURE CAN!!” And then you have a copy of your neighbor’s mail. In networking terms, such a copy can be made instantly and without the original person noticing. But, I hear you ask, what does a stupid mailman have to do with a network? Well some networks deliver packets in that same way. Gathering someone else’s data like that is called packet sniffing

But how did that get your Facebook hacked? Does this mean they have your password? Oddly, no. Or not yet, technically speaking.

When you go to log in to a site like Facebook (or Twitter or Tumblr or Amazon or GMail or your fucking bank’s website or whatever), they make sure you have the correct credentials (password) before you can see anything. But it would be a severe pain in the ass if you had to log in again when you load the page again. So sites have a workaround for this. Once you log in, they forward a session cookie to your browser. This cookie tells the site who you are every time you load a page. It doesn’t have your password, but it does have an encrypted little code so that their servers know who you are. 

Have you figured it out yet? When your hacking friend asked the mailman for a copy of your letter, he was getting a copy of your session cookie. And with it, he can instantly go to Facebook, show off the cookie, and as far as Facebook is concerned, he’s you. He can post as you, change your password so that he then has your password and can log in as you in the future, etc. And it’s actually shockingly easy to do this. There’s a Firefox addon called Firesheep that does it for you: you load up Firefox and let it run on a public network for a while, and it will just sit there collecting cookies. All you have to do once it’s found one is click on it, and bam. It logs you in.

Luckily for you, it can be easily defeated by using a secure protocol, namely HTTPS. You’ve probably seen the http:// at the front of most URLs in your browser… it might be up there right now. That’s the protocol you’re using to connect to the server. If a site has a security certificate, you can change it to https:// and browse that way. Now there’s a whole huge discussion to be had about making sure their certificate is secure and what SSL/HTTPS/TLS really is, but that’s another post. Point is, if you have https://, your session is encrypted and someone can’t jack your cookies (without a great deal more difficulty at any rate).

I mentioned above that my demonstration was from before Facebook forced https. What I mean by that is that they altered their settings, only about a year ago, to force everyone to log in through https. I think you can still turn the option off if you’re especially dumb, but in general that will prevent this kind of thing. Twitter, Amazon, your bank, etc., will have done the same thing. Or should have, if your bank doesn’t have https on their login page you need to move your money ASAP because they’re dangerously stupid.

But while that works on big sites like that, a lot of little sites you visit are probably still vulnerable. I know several of my friends still visit the 501st forums and the Georgia Garrison forums frequently: they may not (or they may, I dunno) have such a certificate, meaning your shit could be sniffed if someone knew what they were looking for. Not that those would be high value targets, but they’d be good examples. For smaller sites that you’re concerned about that don’t have https available, you may not want to peruse them while you’re on a somewhat public network. Or you can configure a VPN connection to pass data somewhat more securely.

Or you could do what I do, and remote into my home machine before browsing. I know who’s on my network… just me and the wife… and if she tries to steal my bank info she’s A) going about it the hard way because she already has most of the important login details, and B) only going to end up screwing herself since it’s her money too. 

Anyway, hopefully that’s a sufficiently basic coverage of it. Needless to say if there are other IT veterans out there reading this they’re probably shouting at the screen about how I missed something or other, but the gist of it is the critical bit.