Automated HTTPS Cookie Hijacking

This past weekend I gave a talk at DEFCON 16 describing a very common vulnerability with many SSL-secured websites (slides are here). It actually all started last year when I began development on The Torbutton Firefox Extension and agreed to speak at Black Hat USA 2007 and DEFCON 15 on my findings with respect to Tor Security. In that talk, I announced that many sites used over Tor were not setting the 'Encrypted Sessions Only' bit on cookies they set over https. This is the case with GMail,, most Drupal sites, Facebook, Amazon's purchase history, Yahoo mail, Hotmail/MSN, many many online merchants, and a few of my friends' banks.

Syndicate content