It's about damned time

After waiting far, far longer than I had originally anticipated, I'm finally publicly posting the CookieMonster utility. I've worked with a number of developers and site admins to help test and secure their sites properly, but unfortunately, it is still the case that many sites still are vulnerable. In fact, even after much correspondence with Google on the subject, it is still possible to hijack the GMail accounts of users who attempt to use https but are unaware of the Always Use HTTPS Preference. Using Cookiemonster's FULL_BOUNCE_FOR config option to redirect those users to the plain url will still cause Google to re-issue an insecure version of their 'GX' cookie which a local attacker can then sniff to hijack their Gmail accounts...

Syndicate content