Incomplete List of Alleged Vulnerable SitesSubmitted by mikeperry on Sun, 08/24/2008 - 09:10 |
A couple people have asked me to provide a list of sites vulnerable to HTTPS hijacking. Unfortunately as a privacy advocate, I have a habit of shunning most Internet services that accumulate or otherwise link my activity long term and beyond my control. I also hate buying items online because of the data profiling, marketing, identity theft, and privacy issues associated with the inability to use anonymous digital cash, and the requirement for complete tracking of every purchase.
However, a number of people have tested the security properties of their own accounts using the method I outlined at the bottom of this post. What follows are the unofficial, unverified, secondhand results as reported to me. If you are aware of any other sites that seem vulnerable, please contact me and I will add them to the list. Additionally, if you have already been provided a copy of the tool, verification or repudiation of the status of these sites would be much appreciated, as I personally have accounts at almost none of them.
Also appreciated would be if people could provide me with a list of alternative competitor sites that *ARE* secure (if available), so that concerned users can begin to migrate away from their insecure sites to secure equivalents. This post is likely to be updated continuously as people inform me of additional sites, and if these sites fix their security.
Sites Vulnerable to HTTPS hijacking (Despite Use of SSL)
The following sites were determined to be vulnerable to the Active HTTPS Hijacking Attack that I announced last year on BugTraq. This is NOT the same as Robert Graham's Sidejacking attack, in that it requires an active attacker. The exact security properties of each site and what sort of information is available is detailed as well.
Airlines/Travel
- southwest.com
Credit Card and addresses available - united.com
Credit Card and addresses available - expedia.com
Credit Card and addresses available - usairways.com
Secure cookies not needed for address, billing information+CC, and security questions and answers
Banks
- usaa.com
Homebrew session control prevents direct attack but has nebulous security properties - patelco.com
Fully insecure
Domain Registrars
- register.com
Addresses, partial CC info, full domain control - namesecure.com
Addresses, partial CC info, full domain control
Miscellaneous Merchants
- netflix.com
Full payment information, rental history, address - newegg.com
Session ID in url for payment, but not address information - ebay.com
Secure cookies not needed for access to payment+address info
Google Services
- docs.google.com
- finance.google.com
- google search history
- blogger.com
Miscellaneous Services
- filesanywhere.com
Sites Vulnerable to 'Sidejacking' (no SSL past login)
This is a list of sites that have been vulnerable to Robert Graham's SideJacking tool, which has been circulating in the wild for a full year. This attack can be performed both by a passive attacker that grabs cookies or site traffic while you visit these sites, and an active attacker that injects page elements to grab the cookies for these sites even if you do not visit them.
- mail.yahoo.com
- mail.live.com
- facebook.com
- livejournal.com
- del.icio.us
- myspace.com
- flickr.com
- twitter.com
- zoomr.com
- linkedin.com
"Account settings" protected, but can still create, join, and leave groups, read+send messages, edit the profile, and add+remove contacts - ebay.com (for some limited functionality)
Again, this is an unofficial list. Corrections and additions are encouraged!
Post new comment