CookieMonstruo: Hijacking The Social Login

hello everyone come on some love please yeah so uh if you look at my last one you might think I'm German actually not originally from Paraguay and before starting this I want to ask you if you know what is the biggest the greatest contribution of our wife you hacking anybody you will never get so let me just show you what it is it's actually right here not this actually thank you okay so my talk is called cooking monstrum hijacking a social lawyer I was introduced I work at a pen tester and but apart from doing that I also enjoy a lot giving presentations to not the kind of people that you are but people who

are not very aware of IT security I enjoy that very much um and more often than not I get asked the following question when I'm doing these type of presentations that is can you have my facebook gmail Outlook whatever I'm sure most of you can relate with with these type of questions if you tell them you're working in IT security um so if I die and every time I get asked this question that would be a very very rich person so so one day I decided you know what I'm going to try to figure out how to do this because I was tired of giving the same vague answers to these people all the time so I sat down

I started saying okay how am I going to approach this this issue and the first thing you might think of it's probably good for fishing some credit harvesting maybe you saw kilo bearing your victims machine maybe grab the password from the browser storage browser storage of the password manager if you know some forensics you might find a memory dump maybe just do plain all guessing right so nowadays security in a web applications get better and people are being more aware of the things that hackers are able to do so more often than not you're gonna be facing this little obstacle which is called two-factor authentication so since I had to deal with this when giving the answers how I would approach

this hacking your web application account and I didn't want to tell them that okay let's just go for some social engineering techniques to try to grab your tooth back to talk now I need to find something better something more more simpler and effective so then it came to me that how about cookies I'm sure most of you are aware of what cookies are I hope but for those of you who are not don't know what they are and also for those of you at home watching so let me give you the cookies 101 to the web browser authenticate show website you stand your username password and you send it to par toward education token and then the worst of all evade

your authentication mechanism and will set back a token cookie to the browser just basically just a long random string that with in essence become the password that all the credentials are your browser will use to the web application for the duration of that session now let's focus on the fact that the authentication part happens here and that includes the two-factor part of the dedication and the cookie is only generated after all of that has already been validated so that gives you a hint that if you somehow manage grab the cookie from your victim then you most likely will be able to bypass most 2,000 indications protections we use nowadays so how do you do cookies doing so if you

want how to the cookie so then you probably go to Google and do a search how do I do cookies in it so the first one or two pages which is pretty much older exists because the third page in Google um they will tell you something that can be briefly summarized in this list have here let's read it an attacker can use a variety of methods in order to do facial implication cookies depending upon the net worth at least song blah blah so and the only mechanism protection against this the real way the only way to do it is to use encryption HTTP so it was very surprising for me to see that most literature on the web only

talked about cookie stealing as a network base attack but what about the jar so this obsession with network based cookie stealing and such a hijacking attacks means that people forgot somehow that cookies not only live in on the network on the traffic but they're also store locally for each browser so here you can see an example from my Google that's a the cookies file which is located somewhere in your user folder and windows which is just patreon SQLite database that contains all your cookies and you will have the same example Firefox again SQLite file somewhere in your users folder same the same principle so let's take a closer a closer look so this is the Firefox table of the database and

the most cookies that contains the cookies information very straightforward just have a table that has all the cookies here with different properties and the values of the cookies here so that's great that means that if you manage somehow to gain after the file system of your victim then you can easily steal the cookies because they're just lying there um now let's go to chrome now and we can see that they're doing actually something more about protecting these cookies so if you see the value column here you will notice that is used most of the time you'll find it empty and if you take a look to the right you will see there is an art

column called encrypted value so chrome goes like I said that it a bit further with with particular cookies and they actually encrypted but at least for Windows what they use is a key that is associated with the windows profile the user that Kuki so that means that if you are able to run code within the same context of the user that it owns that cookie then you are also able to decrypt that cookie so the fact that this attack vector has largely been ignored by most of the elite defensive security people ah means that at least up to my knowledge there was not a good to develop to help you are retrieving these values from the

file system so since I couldn't find a tool then I just said well one just make a tool so that's why I started the European cookie module so what Cookie Monster oh just a simple PowerShell post exploitation script it means that you have to compromise your victims machine obviously why do we need this well to help an attacker tester obviously quickly down the local cookies storage and I identify active sessions so the tools should support different browsers and at the moment is pouring Chrome and Firefox on Windows of course should also be able to target popular web applications such as Facebook Gmail auto feeder or the big ones and also should be able to target customization tokens

which I'm still working on so let's just have a brief demo time so you can see how the the tool works so let's hope this time it doesn't screw up so here we just help um yeah so this is a Windows machine that's been compromised ready the file system is compromised so let's log it into this Facebook application as you can see two thousand litigation is enabled

so if you want to remember the browser limit this doesn't matter you can choose either option here so as you can see we have a valid session now with Facebook and we're coming from this IP you can see there one it starts with a 1 a 1 so now let's go to my commanding control machine which is located somewhere in the cloud it's running Empire so now view her Empire PowerShell framework it's a really cool framework for using PowerShell to hack computers so this partial agent which is already running on the infected machine is has already the Cookie Monster script loaded and what we're going to do is just run it you might be a little hard to read but

it just says invoke you tomorrow we're targeting specifically faced with in this case and we want to make the output of its portable so that we can use it later to load it in our local machine so this would be the output of the tool I will just tell you the cookies that you're interested in the ones are using to handle session power of Facebook and it will give you a nice crib that you can run locally on your machine to create a cookies file that you can later load into your attacking browser so let's see this in action which is going to copy that little script from the command and control server when I run

and locally in our machine so we created this cookie file now I'm going to change window a little bit in so I change the IP done coming front so you can see that the IP doesn't matter in this case so as you can see I'm going from a complete different IP which is looking in a different country I'm going to load here the cookies with this Firefox extension for hanging cookies and just going to go to Facebook as you can see the session hijacking it's it's achieved despite the fact that we're coming from a complete different operating system as you can see this magdhira most windows very different browser Firefox as post Chrome and I complain differently in different

countries yeah so that's pretty much it very simple so not everything is unicorns and rainbows when it comes to cookie stealing there is some other stuff that is you consider as well so sometimes the victim should stop to have an active session today whatever applications you're targeting so what can we do in this case well if you have AK to the file system and that computer is used by the victim to to log in to that specific website that you're interested in it's very easy to just student wait wait agree right so that's the what I have implemented in the tool it's called waiting steal just you check every n amount of time until you see that the

cookie database contains the cookie that you're interested in when that happens the cookie that you've just seen is retrieved very simple very straightforward another thing that could happen is that the user the victim can invalidate the session that you have stolen by logging out so you can think when you retrieve the cookie from the victim both the victim and the attacker will be hand would be in possession of the same cookie the same two different sorry two copies of the same cookie so what can we do in this case well very simple we just use a simple remove cookie which will basically just delete the cookie from the database of the user and as an

attacker you will be the only one holding a copy of the cookie so this actually has some serious implications at least for the case of Facebook and all the mainstream applications they do some good session management they allow you to end sessions manually if you don't trust those active sessions but you can think of applications that you might develop or that you might test if you're a tester which don't have these session management controls so if I steal a cookie from you that it has an active session to a web application that is important to you and if you don't have access that took anymore how do you kick me out of your vision so that's

something to think about so another reason why I focus so much in these mainstream applications like Facebook Google and the others is that they are not only when the Health Education days don't only handle their own authentication but they also provide simple social login so I'm sure you're familiar with the issue maybe use it how many of you use social login to login with your Facebook and Google accounts to other account don't be something I do it I do it and I and I wrote this so I wrote this presentation anyways so here are some examples now let let me give you a little secret about social logins you don't really need to know the username

and password of the of the the account that you use your social login with in order to hijack the session of the application that relies on the on the identity provider in order to hijack the session so we have a look at this little graph here that explains a little bit how the flow typically looks in these implementations of social logins we can see is step number three that if the cookie is available for the identity provider and you have a valid session then automatically you will have a valid session with the older application that relies on the data provider as an authentication provider so let's see this and a little bit in a demo here so

very quickly I'm just going to log in to Google to photo indication again Twitter again to further education navel and Facebook same thing two thousand occasion navel on this victim machine yeah so we have now a valid session with all these three these three sides so this time we're going to run Cookie Monster except we're not going to target any specific application we're just going to dump the whole cookie database makes it easier so here we have the entire cookie database for that particular user same process when I copy a we're going to copy the little script when I put it on your local attacker machine and we never say proceeded to hijack the sessions so here we're creating the

cookie file in your local machine and now we're going again to our attacker machine when I load the cookies I'm going to change their IP so you can see they were coming from a different place so all these session hijacking thing is nothing new by the way this is a well known issue but most a lot of people that I show this to they actually not aware that you can do this and that is why one of the reasons why I decided to try to take this issue around and then show it to people so just how many of you know that you can do this ok so you're aware of this here that's cool

so now we have this session hijack and then I'm going to look at the we're going to take a look of the apps that are connected to this so we go to face we go to the settings and apps and we can see an example here Expedia that they allow for login with Facebook so for Gmail we go to my account we go to connected apps inside and as an example we have our here Dropbox which is connected to this account and for Twitter it was so hard to find an application that actually relies on Twitter but I found one MySpace yeah I haven't use myspace in so long so let's go to a speedier now sign in sign in

with Facebook and as you can see now we have a valid session with the with the Windex pds hole which is relying on Facebook as an authentication provider so these are just examples there's many other applications out there any occasions of the security implications of this depends on what application we're talking about now let's go to Dropbox same thing we can sign up not sign on this case this actually stands for sign-in because the account already exists

and now we have a also gain answers to that Dropbox account now with my face and this is what my face looks like in 2017 so I always loved all those cookie messages here because it goes so well with the anyways so same thing Twitter in this case and now we are logging again again as the user yeah so that's pretty much it so of course this attack will not work will not be effective at least on some of web applications that implement strong session management control such as short sessions grades and time outs not allowing current sessions binding session I need your user properties etc now the question is how many of the main two publications or

duplicates that use available applications that you test on your daily life actually implement all these controls and it's a very hard thing to do because it's a very big question and a very in a balance that you have to do between usability of your application and the security applications so yeah it's not it's not an easy thing so I've been talk with the with Google I wrote Google Facebook Peters and all some orders around investigating as well to see what their take on this and basically the answer can be summarizing this is this is beyond the control of any of what we can do because once you've lost control of your file system then all bets are basically off so

there's not much that can be done about it at least yeah so as a conclusion to this I want to say that most conventional knowledge will argue that using social logins it's safer as we tend to believe that the strong authentication controls that these identity providers implemented will make well we'll make our accounts more secure now I really don't want to argue against that or for that but I just want you guys to consider that this is a factor when you are deciding whether or not to sign up for social login providers so before I finish I just want to leave you with a final question and that I asked myself is it okay to have locked session

management practices on sides our authentication providers so I will leave that to you to answer yourself and maybe we can have a discussion after anyways but that's all for my presentation at least if you want a copy of the tool is available my github claim or as you can write me on Twitter as well there and I actually then I presented this a piece has given as well but it was in one hour presentation back then so I had a chance to do more demos some cool things so you want take a look your insert that you want to see more demos then you can check out the cool Cooper's filming of beside Ljubljana yeah anyway that's all

for me thank you very much yes she sent out an email when you're walking in from a different device yes so this has always at the look inside most of the controls including the Gmail control and the phase loop controls are only done god that's indication at least from my experience I mean like you can you know more about this to judge the Google guy here yes he talked about secure cookies morning as well so I was on a different perspective anyway so most of those controls at least from what I've seen and what I was doing the testing us only happening during this login so that's why I wanted to emphasize if you're coming from different IP at least

Facebook and Gmail are not complaining so much and they only complain when you do the authentication and that's what almost the checks are done at least from my experience so if you have experienced something different that will be very interesting you seen that because this leads to use agents comparators well that's exactly that's exactly what I that's exactly what I asked when I was talking to them and they told me that they didn't think that was the right way to go about it to do any property bindings to the cookies the thing that was there was an effective solution I don't know why and I'm not going to I'm not going to say why they think that I just what I did

the answer that I got from them I think it has to do a lot with usability because you don't want your session to break every time you change a piece if you have a mobile yeah when you have a key inside there may be user agents different yeah just just to user it doesn't change if you change your team like you remember on our altar the things that you can also lose those so the other day it's really a protect I mean it will it will hire a little bit the security but it's not really a solution so so what's your recommendation anything well yeah actually one thing that I seen work in this case if you're really paranoid you

might want to browse in only use the internet on where is it safe laughing it go incognito mode that's it because according to mode doesn't flush the cookies to the hard drive it only keeps them in the memory from what I seen so at least until I figure out how to structure from memory you're safe yeah so that's a little thing that you can do what other wise I just don't have your computer hack basically I identify thank you

yeah so the product yeah that's a good approach but the thing is like like you saw there ah one of the things that the to implement is that you wait until it sees there is a cookie with an active session in which is seal it so that would not really protect you so what the tool will do is it will just complete check and what is it that you log on to that side that I'm interested in it will it will actually first will have to crush the process of the browser in order for me to be able to delete it from the cookie because the browser has a lock on the on the cookie that way so

what I do is across the the browser process I retrieve the cookie I delete it and then you can log in again so I have another session to your so with like I said with Facebook yeah so at least with Facebook and Google and your the big one you can still go there and manually delete the other session if you think if you actually realize that you can have but there's many other websites out there that don't have this control so that's why if an interesting is an interesting thing to think about okay let's call it break time now just five minutes so you can have a cup of coffee not statistically break yet that comes a

bit later but just as we have five sessions in a row and then if you want to keep discussing with Martin we've got breakouts and Purdue's back you mark yes no problem sex thank you [Applause]