Cookie Stealing - Computerphile

This guy has forgotten more about computers than I'll ever learn

Shouldn't this video be called "Biscuit Nicking"?

I hate you guys. I have stuff to do, it's almost midnight and I keep on watching your so very interesting videos.

Dr. Pound is really good. I want more videos from him.

This guy and Tom Scott are my 2 favorite people on Computerphile. I just wish Tom still made videos on here.

When I explain session ID's to other people (who usually couldn't care less), I always explain it like this; There are "blind guards" to "doors" in a webpage. At the front of the website there's someone who asks for your secret password, you tell them the password and they give you a special badge with Braille on it. You walk into the website and when you feel like going to another "room" (page)...you walk up to the guard and they grope you and say "oh well...you MUST be that person or they wouldn't have let you in, so I'll show you the stuff that only you are suppose to see"......the problem is when someone else makes a copy of that badge...the guards can't tell the difference. Then I go on about cross-site scripting until they go cross-eyed and then I install the NoScript browser extension for them cause they said "I don't care "how" it works...just make it so they can't do it.

11:37 It might be worth emphasising here that the reason this works is because the script specifically read the contents of the cookie and included it in the URL parameters for the image. Normally the browser will not send cookies intended for one site to a completely different one.

Computerphile drinking game. Take a shot every time he tugs on his sweater.

I love these videos that you and Tom Scott do here on Computerphile with ways people can and do hack websites while providing LEGAL examples. I would really like it if you and Tom Scott do more of these.

If I knew of this channel earlier my web projects would've benefited from it so much!

Might also be worth mentioning the HttpOnly flag for cookies here. I mean, obviously if you're vulnerable to XSS that's a serious problem regardless of what other security measures you've taken to protect users, but at least with HttpOnly set the JavaScript won't be able to steal cookies.

Upvote for that blog alone.

I'm so out of the loop. I didn't even realise this was possible in this way.

For anyone thinking about pinning an IP address to a cookie, don't. Not only does it change if you move to new wifi network, it changes if you move between wifi and mobile, if you move between cell towers, if you're on public transport which offers free wifi and some ISPs even use a different IP address for every request (albeit usually South East Asian dial up connections). I've had people complain that they couldn't log in to a website before because their IP address changed between submitting a login form and getting the response back.
Also, if you really want to secure yourself from SQL injection you should use prepared statements, ideally with stored procedures, and never adjust the base query at all. Escaping is not generally good enough to stop more advanced attacks.

alert("Just testing... :P")

I steal my grandma's cookies all the time.
Much easier than the way you do it.
I just reach into the jar.

Don't get ghostery... It's owned by ad targeting companies.

4:02 "Your blog is bad, and you should feel bad." Futurama reference.

Fantastic video!! I already knew all this stuff but still very enjoyable to watch. More web dev stuff please!

Thank you for always providing clear content Mike

You guys should do a series on stuff like this and how to try and prevent it. Since not too many people realise stuff like this especially when they begin coding - even Twitter has this happen not that long ago. I see how you show how it’s done, but you didn’t show how to prevent it ( an easy way that I use, is replace all angle brackets with the HTML code for it - it’s an ampersand and some text - now it won’t be valid HTML ). Heck, maybe even videos on how to secure your server itself.

Looked up ghostery as soon as you mentioned it and installed it to both browsers I use. Thanks!

Good job as always, Mike.

Mike Pound is my favorite Computerphile host

I love MIke Pound's videos!

I actually heard a story of the valve steamworks not being protected against XSS which would allow a rogue developer to put HTML tags in the description of their app description and steal the cookies of any valve administrator visiting the info of his app.

Great explanation about this issue. Thank you very much.

It would be awesome if you could provide your test website codes so one could try out for themselves and follow along
Thanks for the awesome content

very nice videos, computerphile, keep the good job

so over my head, but nice to have an inkling of what it means!

There are lots of complicated and simple methods that you can implement between IP locking the cookie and nothing. Been a while since I had to develop a web app, but a common technique I would use would be that every time a request is made a new session ID (or a secondary ID) is generated and the last one is invalidated. This will mean your session ID keeps changing, reducing the size of each attack window and if your cookie is stolen and used when you next request with the cookie the attacker has invalidated, it can invalidated both sessions and notify the end user/server administrator that there has been a potential security breech. It doesn't stop the attacks completely but its a nice technique to make it harder and notify a user of the issue.

god bless this man. what a legend

Very interesting and eye-opening videos, pedagogically told. Simply great.

Great video and explanation. However, it would be nice to have a section on how to protect yourself from XSS.

you should do a video on Content Security Policy (CSP) and show how it can be used to protect against these types of attacks when having to use 3rd party applications which you may have little control of how they did their security.

That's still vulnerable to sql injection, because you used mysql_real_escape_string, instead of mysqli_real_escape_string. The i stands for "improved", so obviously that's the one we should use. The other one has some subtle bugs, mainly character encoding ones.

This takes me back to redirecting quest books.

0:49
Requests
1:50
Cookies
2:42
Stealing
3:30
XSS

ive nearly had my cookies stolen twice(or more) on discord! it was some kind of script that ran when you joined a server...and its quite clever

Really amazin
So well described
So exciting

Thank you
As far I am aware, if an attacker will gain the session ID he won't be able to use it again because it was already used by the original user.

One thing that would be nice in these videos, imo, would be simplest ways in few words, how to defend yourself from most known exploits for new Web developers, uni students etc

Excellent breakdown.

"I get back an image and I think nothing's gone wrong but they've now got my cookies" scariest words.

Who is this guy? He is the coolest one to tell about computers at this channel, the videos about computer vision are totally amazing and this one was great too despite I've known all the information long before I've seen it. But if I need to tell someone what "XSS" is, I will definitely give the link to this video

I remember when Facebook didn't require https for their mobile site. Soo many users details were visible in my school when I fired up FaceNiff or Firesheep. (ARP poisoning, traffic sniffing, cleartext cookies)

"It bags my cookie" sounds like British sexual innuendo.

Lots of PHP frameworks will now change your session ID on each request (while keeping the data associated to the new ID), this prevents these types of attacks as the ID that gets stolen is immediately invalid

You are a crafty man thanks for the lesson..........

This video seems like it might transition into a video about CSRF pretty well.

Reauth when performing important tasks is one method of hardening security. Another might be to challenge again if geoip logs detect impossible travel (i.e. it suddenly looks like you're on the other side of the world or, at least, a completely different Autonomous System).

Excellent !!!!! Ty for such an excellent videos

BRUH this guy really knows his stuff wow.........makes me wanna drop electrical and pick up programming/coding

Is it possible to use a similar concept to hijack someone else's toolbars/browser add-ons? I've heard of manipulating or tricking a user's browser to open a blank toolbar. This toolbar runs a script that allows you to access the user's local drives/files. Though I'm not sure it's seemless (not a true remote session). It seems strange that it would be possible but I can confirm I've seen it happen.

the interviewer really sounds like the guy from sonicstate. I always thought Brady was doing the interviews...

Even a "myimage.jpg" can perfectly be a php file (or any other scripting language, fwiw). The "file extension" concept have no place in HTTP protocol, so the browser doesn't actually know if "image.jpg" is an image or anything else named like that (including a folder). It doesn't even have to exist on the server, as you have multiple configuration options for your routing and rewriting of the request paths once the request hits the server.

Trading a browser cookie for a photo of the Cookie Monster? Seems like a fair trade to me! 🤣

Can you get this guy to explain software models, functions, attributes … I understand so many things for the first time when he is explaining it.

This would be good to go through if your going to take your Comptia Security + test

"It's all very positive. Oh, well, nearly." My words exactly when I get 25% on a assignment.

oh man why do so many good videos come out after midnight

An alternative to XSS and often used in Spam emails, is Clickjacking. Look it up if you're a web dev, or perhaps a video on this would be nice +Computerphile

7:14 Code like that, takes me waaay back 😂

Great video. I already know all this but know; PHP Sessions and Cookies are WAY different. Just like LocalStorage.

03:46 shows a Samsung subnotebook with a TrackPoint. Which model is it? I really need my TrackPoint, because TouchPads are crappy to use and whenever I have to use them, I feel the need to smash the machine against the wall. So what laptops are there that have a TrackPoint - except for Lenovo ThinkPads, of course??

Excellent video

I love that he’s using MariaDB

Prof. Can you please do a similar video for heap overflow? Thanks

Better not steal my cookies

:( Use the mysqli interface or PDO and prepared statements - do not use mysql_real_escape_string() any more. Come on Mike.

Mike, Ghostery is fine, but if you really want to have control over what the websites you're visiting do with your computer, I'd recommend tools like uBlock Origin, uMatrix (which is awesome!), NoScript and of course self-destructing cookies. RequestPolicy however is obsolete if you set up the "u-Addons" (uBlock/uMatrix) accordingly, because they can be set up in such a way that no cross-site-requests are being followed. Of course, most websites don't work in that setting, but then you can allow individual FQDNs (in uBlock Origin) and what is allowed to be loaded from an individual FQDN (in uMatrix), and in such a way websites can display their content, but don't execute the script that is intended to detect a tracking blocker, and so on.

The part at the end of the video, must be why, if you go to PayPal website and try to check everything on your account, it will constantly ask you to log in again, even if you just logged in again and 5 seconds later click a link that goes to another certain part of the account. This is annoying as hell, but I guess as you said, they do this to minimize risk.

It seems like a bit of a contrived example. Nicely explained, but I'd like to know whether this actually happens, how often it happens and how trivial it is to prevent it.

I have seen an article that mysql_real_escape_string() is still open to SQL injection. That is why it's best to use PDO

i have a question when we using https protocol, then we can't steel cookies as far as i know then what we need to worry about steeling cookies?

It’s scary how easy doing these sorts of things are sometimes. If I recall, however, XSS attacks aren’t nearly that much of a threat because because of SSL. The request is private, and you’d have to forge the certificate, which is nearly impossible. Do I understand correctly?

i've stopped using ghostery since i found out that they were actually keeping details of your browsing history and selling it on for profit

I steal cookies from myself all the time due to my employers blasted authentication policies. We started using Azure DevOps, and they require you to authenticate via their ActiveDirectory, which only works on the company intranet. However, this is just for authentication; DevOps traffic isn't controlled in any way. And since all consultants work on their own machines, I didn't want to have to switch to company computer to use Azure DevOps, so I downloaded a Chrome cookie session plugin that lets me dump a session after I've validated on the company computer, and load those cookies up on my own machine, and bam: I'm in Azure DevOps on my own machine. :D

You used to be able to do this on Neopets, they used it for this, but they also used it to put silly pictures in post that shouldn't normally let you do it. People are funny sometimes.

When he said, "Can I change the shipping address?" a FedEx truck passed by my house o_o

Right at the start you recommend installing an app to stop cookies 'tracking our whereabouts' but I couldn't understand what you said. Ghost something?

Is that code still vulnerable to SQL injection?
I thought it should be using prepared statements and enforcing UTF-8?

Pure genius !

Is it legal to do this on your website images? So if someone else excepting yours users is using that image, they will also send their cookies to your website?

People seeing this image might not realise what just happened...
A part it's a cookie monster.

So rather getting an image from the server that holds the blog file, the attacker is redirecting the request to his submitcookie.php file on the attacker server. This .php file stores the cookie in a databse and returns back to the defendless user the cookie monster image. Am I understanding this correctly?

Why did they choose the name "cookie"?

since most forums allow img tags, for pictures, (or tell me if they dont :p), doesnt it mean that practically every forum is vulnerable? what countermeasures do they use?

Why server does not use an IP address instead of cookie when it wishes to track clients requests and let's say shopping card? Because server can see only external IP address and can not see a local address of device. Is it the reason?

Curious how many folks will now try XSS here in the YT comments now. ;) alert('Weyhey!');

hey test

Am I understanding this correctly or am I missing something?
The script that he sent is now a permanent part of the website as it will be loaded from the database as soon as a user requests to view the blog entries. When the script is loaded, the client will run it and send their cookie to the attacker's website. The user doesn't need to do anything other than load that blog post in order to send off their cookie?

TH-cam is Smarter Than That

is there a way then of securely allowing someone to comment on a post or whatever it might be with an image from another server... I dont see how you can protect yourself against that. You would just have to ensure they arent allowed parameters in their img html tag? and screw the fact that someone might use it to get a different sized image example image.jpg?width=150 < not allow that but the original image could be 4k

My screen jumps up and down sometimes; - but I have an optical mouse ...it seems to stop when I turn the mouse upside down... - I could run wireshark but just stare at it like a spastic...

Ghostery itself does tracking. It's pretty messed up.

Instructions unclear, the cookies monster came after me stoling it's cookies.

can you create a playlist for the videos ur posting

Is there the possibility of reading out the whole cookie file? I mean it's just a file on the computer which can be read out. Can Javascript do such things?

In a normal situation, wouldn't the post with the session cookie be stopped by the browser because of same origin policy?