Bugtraq mailing list archives
Re: cache cookies?
From: "James N. Potts" <jnp () CRNET COM>
Date: Thu, 14 Dec 2000 17:49:18 -0600
Thomas Reinke wrote:
Actually, it *does* work. We have on our site a working demonstration of the exploit, showing whether or not you've visited one or more of more than 80 different well known sites. The URL is http://www.securityspace.com/exploit/exploit_2a.html We've found with the demo that a) It is as reliable as the ability to find an image that would be cached by the browser. In fact, the timing is very accurate, but other factors can fool the mechanism. Out of the 80 odd sites we tested, we had 3 false negatives.
The first time I tried your exploit, I had negatives for every site. The second time, I had positives for every site (as has been pointed out would happen). Which leads to:
b) Dangerous is subjective - a malicious site CAN find out what sites you have visited. How much they can do with it? Well..that's up to the imagination. Certainly I doubt (hope?) that larger organizations wouldn't stoop to this trick, but I honestly see nothing preventing advertising orgs and so on from not doing this, other than the uproar it would cause in the industry.
Because of the above problem, the data becomes useless. After visiting a malicious site once, that site can never see if you've visited anyone since (without regularly changing the files that they look for). Plus, there's bound to be overlap between malicious sites; it's plausable that within a short period of time, all users visiting malicious sites would have positives for all overlapping sites, even though the users have never truely visited those sites. Since the data isn't trustworthy, why would sites bother to look for it? -Jim Potts
Current thread:
- Re: cache cookies? Clover Andrew (Dec 14)
- Re: cache cookies? Thomas Reinke (Dec 15)
- Re: cache cookies? James N. Potts (Dec 16)
- Re: cache cookies? Dan Harkless (Dec 16)
- Re: cache cookies? MadHat (Dec 18)
- Re: cache cookies? Steve Shockley (Dec 16)
- Re: cache cookies? Rossen Raykov (Dec 16)
- Re: cache cookies? Nick Lamb (Dec 18)
- Re: cache cookies? Thomas Reinke (Dec 18)
- Re: cache cookies? Kee Hinckley (Dec 16)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- Re: cache cookies? James Taylor (Dec 19)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- <Possible follow-ups>
- Re: cache cookies? Rob Lemos (Dec 18)
(Thread continues...)
- Re: cache cookies? Thomas Reinke (Dec 15)