Take care with cookies

At the Black Hat conference in Las Vegas it was demonstrated how log-in data can be stolen via cookies exchange when using hi-fi hotspots.

UPDATE: See the comments to this post for more.

← Previous post

Next post →

1 Comment

  1. The problem here is that cookies were being passed unencrypted from the browser to the site. This is nearly as bad as passing the login and password itself in an unencrypted fashion. So, furiously pressing “delete cookies” won’t really help here. Better to realize no site is perfect which means some good tips are:

    1) Don’t use untrusted networks (the hackers in this case were privy to all the data on the network because they had hacked a router or other device that transmits all the network information up to the internet).

    2) Use different passwords for different sites, and change them periodically

    3) Only log into web sites that use https as the protocol

    I hate it when some black hat makes a finding and then makes it sound like they’ll soon be taking over the world because they’ve discovered a problem with some technology that the general public has heard about (e.g. “cookies”). The truth is, most big sites are aware of these kinds of things – they just happened to catch Gmail doing something stupid in this instance (passing an unencrypted authentication cookie).