Sign in to follow this  
Followers 0
bleeber

Using cookies to steal info from other cookies?

6 posts in this topic

Hey all,

So I play this little online game called World of Warcraft. The other day I had my account stolen from me and had to get on the phone with their technical support to have them reset my pass. While I was on the phone, I ran some anti-virus scans (AVG) and some malware scans (SB S&D). AVG came up fine but I had 7 bad cookies in firefox that showed up. This didn't really phase me at first and I just deleted my cookies and rescanned and everything was fine.

Later a friend sent me an article that stated that people were using code on their sites to steal your saved passwords from Firefox. Since the only thing I found was bad cookies I started searching about that. Some sites have provided information about cookies and the http referer to spoof cookies but I haven't found anything that appears to show how one may go about stealing cookies from other sites that are saved in your browser.

Does anyone know where I can find some docs on this or know how this was accomplished?

theBleeber

0

Share this post


Link to post
Share on other sites

Most common way to steal cookies would be by using Cross Site Scripting or XSS. You inject a piece of (Javascript) code into a site that does a GET or POST to a site/page/url that you control with the cookie as a parameter.

An other way would be a trojan. I know there are trojans out there that specifically scan for gamekeys and game logins.

0

Share this post


Link to post
Share on other sites

Why not just turn off saved passwords?? I know it's a bummer to remember all of them.... that's why I have a notebook full of them... and when I write them down, I like to transpose things so if someone were to come in and get the notebook they'll have to scratch their heads for a while trying to figure out my logic... which is screwy.

Also in firefox... tools/options/privacy... have it clear everything when close firefox.

Edited by PurpleJesus
0

Share this post


Link to post
Share on other sites
Why not just turn off saved passwords?? I know it's a bummer to remember all of them.... that's why I have a notebook full of them... and when I write them down, I like to transpose things so if someone were to come in and get the notebook they'll have to scratch their heads for a while trying to figure out my logic... which is screwy.

Also in firefox... tools/options/privacy... have it clear everything when close firefox.

Instead of when you close firefox I would get ccleaner or something of that nature and do it when I restart the computer or go in and do it manually when I feel paranoid. I say this cause I may be on the same site several times through out the day and may not feel like have to relog in every time, so I would assume others do the same. Also just because your account was stolen doesn't necessarily mean that your computer was hack, you yourself could of been hacked if anyone managed to squeeze info out of you. Also they could have just saw your user account name in game and then brute forced the password.

0

Share this post


Link to post
Share on other sites

I understand the techniques I could employ to protect myself in the future. What I was wondering is how, technically, this was done. The fact that this happened was annoying at best. What I am trying to learn is, how did they do it.

Thanks,

Edited by bleeber
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0