concept to publication

Take care with cookies

At the Black Hat conference in Las Vegas it was demonstrated how log-in data can be stolen via cookies exchange when using hi-fi hotspots.

UPDATE: See the comments to this post for more.


The Photoshop Wizardry of Al Qaeda


Embedded journalism

1 Comment

  1. The problem here is that cookies were being passed unencrypted from the browser to the site. This is nearly as bad as passing the login and password itself in an unencrypted fashion. So, furiously pressing “delete cookies” won’t really help here. Better to realize no site is perfect which means some good tips are:

    1) Don’t use untrusted networks (the hackers in this case were privy to all the data on the network because they had hacked a router or other device that transmits all the network information up to the internet).

    2) Use different passwords for different sites, and change them periodically

    3) Only log into web sites that use https as the protocol

    I hate it when some black hat makes a finding and then makes it sound like they’ll soon be taking over the world because they’ve discovered a problem with some technology that the general public has heard about (e.g. “cookies”). The truth is, most big sites are aware of these kinds of things – they just happened to catch Gmail doing something stupid in this instance (passing an unencrypted authentication cookie).

Some rights reserved 2021 Right Reading. This work is licensed under a Creative Commons (attribution, noncommercial, no derivs: 3.0) License (US), although some of the work this blog incorporates may be separately licensed. Text and images by Thomas Christensen unless otherwise noted. For print permissions or other inquiries please request via