Incomplete List of Alleged Vulnerable Sites

A couple people have asked me to provide a list of sites vulnerable to HTTPS hijacking. Unfortunately as a privacy advocate, I have a habit of shunning most Internet services that accumulate or otherwise link my activity long term and beyond my control. I also hate buying items online because of the data profiling, marketing, identity theft, and privacy issues associated with the inability to use anonymous digital cash, and the requirement for complete tracking of every purchase.

However, a number of people have tested the security properties of their own accounts using the method I outlined at the bottom of this post. What follows are the unofficial, unverified, secondhand results as reported to me. If you are aware of any other sites that seem vulnerable, please contact me and I will add them to the list. Additionally, if you have already been provided a copy of the tool, verification or repudiation of the status of these sites would be much appreciated, as I personally have accounts at almost none of them.

Also appreciated would be if people could provide me with a list of alternative competitor sites that *ARE* secure (if available), so that concerned users can begin to migrate away from their insecure sites to secure equivalents. This post is likely to be updated continuously as people inform me of additional sites, and if these sites fix their security.

Sites Vulnerable to HTTPS hijacking (Despite Use of SSL)

The following sites were determined to be vulnerable to the Active HTTPS Hijacking Attack that I announced last year on BugTraq. This is NOT the same as Robert Graham's Sidejacking attack, in that it requires an active attacker. The exact security properties of each site and what sort of information is available is detailed as well.

Airlines/Travel

  • southwest.com
    Credit Card and addresses available
  • united.com
    Credit Card and addresses available
  • expedia.com
    Credit Card and addresses available
  • usairways.com
    Secure cookies not needed for address, billing information+CC, and security questions and answers
  • priceline.com>
    Name, address, travel history and last 4 digits of CC available if a valid path is used (no need for URL session ID though).

Banks

  • nationalcity.com

  • Access to account information (account numbers limited to last 4 digits) and balance transfer ability
  • usaa.com
    Homebrew session control prevents direct attack but has nebulous security properties
  • patelco.com
    Fully insecure
  • servicing.capitalone.com

  • Full credit card information available

Domain Registrars

  • register.com
    Addresses, partial CC info, full domain control
  • namesecure.com
    Addresses, partial CC info, full domain control

Miscellaneous Merchants

  • www.wireless.att.com
    Full access to account, payment and address information
  • netflix.com
    Full payment information, rental history, address
  • newegg.com
    Session ID in url for payment, but not address information
  • ebay.com
    Secure cookies not needed for access to payment+address info

Google Services

  • docs.google.com
  • finance.google.com
  • google search history
  • blogger.com
  • mail.google.com for users who do not set the 'HTTPS Only' preference

Miscellaneous Services

  • filesanywhere.com

Sites Vulnerable to 'Sidejacking' (no SSL past login)

This is a list of sites that have been vulnerable to Robert Graham's SideJacking tool, which has been circulating in the wild for a full year. This attack can be performed both by a passive attacker that grabs cookies or site traffic while you visit these sites, and an active attacker that injects page elements to grab the cookies for these sites even if you do not visit them.

  • mail.yahoo.com
  • mail.live.com
  • facebook.com
  • livejournal.com
  • del.icio.us
  • myspace.com
  • flickr.com
  • twitter.com
  • zoomr.com
  • linkedin.com
    "Account settings" protected, but can still create, join, and leave groups, read+send messages, edit the profile, and add+remove contacts
  • ebay.com (for some limited functionality)

Update: 11/15/2008

Sites tested and re-notified; list updated.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
      _   ____    __  __   __  __   ____  
| | | _ \ | \/ | | \/ | | _ \
_ | | | |_) | | |\/| | | |\/| | | |_) |
| |_| | | _ < | | | | | | | | | __/
\___/ |_| \_\ |_| |_| |_| |_| |_|
Enter the code depicted in ASCII art style.