Saturday, August 4, 2007

Hackers bite into "cookies" to plunder user data from websites

Hackers and computer security specialists gathered in Las Vegas on Friday took aim at popular social networking websites, exposing ways to plunder data from software "cookies" used to track users. Revelations made at an international gathering of hackers dubbed DefCon come as Internet rivals Google, Microsoft, and Ask acquire firms that rely on cookies to better target money-making online ads. "Websites could easily fix the problem by encrypting cookies," Errata Security chief executive Robert Graham told AFP.

US college student Rick Deacon arrived at DefCon on Friday ready to demonstrate how to use trickery and software skills to steal enough information from MySpace users' cookies to commandeer their profile pages.

"You can become them on MySpace; basically hijack accounts left and right," Deacon told AFP.

The attack relies on duping MySpace users into clicking on a rigged link, perhaps in an online forum or bulletin board that routes them to a file that steals passwords and other information from their cookies.

"I've never seen it fail," Deacon said. "I become you on MySpace."

Hackers can use commandeered profiles as springboards for more attacks or to infect users' computers with viruses, according to Deacon.

"I could rip through your computer as easily as I stole your cookie."

The "hole" in defense is not limited to MySpace, according to Deacon, who listed Facebook and Google as vulnerable to the attacks.

Social networking websites are prime targets, Deacon said.

"MySpace takes the safety and security of its community incredibly seriously and we have a dedicated rapid response team working 24/7 to address any security issues," MySpace said in a written response to an AFP inquiry.

Graham counters that MySpace is "not going full bore" to block the attacks, which could be "weaponized" to infect computers with malicious code.

Hackers that don't want to trick users into clicking on booby-trapped links to raid cookies can do it remotely at "hot spots" where people wirelessly connect to the Internet, said Graham.

"If you are at any old Wi-Fi hot spot, like a Starbuck's or airport, a hacker can sit next to you and get the cookies you are sending back and forth on the Internet," Graham said.

"It's insanely easy. As far as I can tell, it affects every website."

Graham demonstrated the Wi-Fi hack at a Black Hat conference for computer security professionals in Las Vegas this week, breaking into a web-based e-mail account and sifting through the person's messages.

"There is so much information in your e-mail or social networking account," Graham said. "If I'm stalking you, I can go to your Google Maps cookie and probably find out where you live."

Free public Wi-Fi systems such as the one Google built in its California home town and is working on in San Francisco should feature encryption to protect users, Graham argues.

"I would never use public Wi-Fi," Graham said."Not on your life."