You can have your cookie and eat it!
We are living in the future. You can order a self-driving car, and if you’re really nice to Elon, he’ll take you on a weeks’ trip around the moon. Technical challenges that seemed impossible are now a reality. Oh, and high-profile web sites are still not encrypting session cookies because it’s too difficult.
eBay, the internet’s favourite car boot sale, sets two important cookies, cid and nonsession that authenticate a user. These cookies are not marked as secure, the site does not use HSTS, and HTTPS is a typo in the URL. During normal use of eBay, these cookies are transmitted over the Internet without any transport layer encryption.
These cookie values are easy to capture and there are a multitude of possible scenarios where users could be leaving themselves vulnerable without knowing it. An attacker on the same local network could use ARP spoofing to intercept your network traffic. Public WiFi spots in coffee shops are famously not encrypted, so someone within WiFi range could see you transmitting your sensitive cookies without even needing to be in the shop. Even a rogue employee or nation state at the ISP level would all have access to your cookies.
I was able to capture the cookie values from the network and insert them into a different browser on a different IP address.
Lo and behold, I’ve gained access to almonie’s eBay account by using two cookie values.
I can access this user’s watch list. Seems to be into Electric Cars.
What’s worse, is that many users link their PayPal accounts, so with a click and confirm, your favourite IoT doll can be yours.
It was possible to search for arbitrary items, and use the eBay application normally within the attacker’s browser. Who apart from @TheKenMunroShow, would purchase a doll that could spy on you?
Okay, I just need something cheap to confirm this eBay cookie issue… I search for the cheapest thing on ebay, and find some kind of black rubber thing. At 1p, I’m not sparing any expense… 10 minutes of high anxiety later, and… I’m a WINNER!
I run though the checkout process, and because I’ve already linked my PayPal account, I’m one click away from a 1p rubber thing from China that will never arrive. I’m very excited.
One successful purchase later, and I’m left wondering why this issue has not been fixed. We raised it with eBay via their Bug Bounty programme, and this was their response:
So, they know about it, but they are not addressing it and dismiss it with a vague statement about expanding the use of SSL. Take your time eBay, those SSL accelerators are very expensive when you’ve got a $2.4 billion revenue to protect each quarter- https://investors.ebayinc.com/financial_releases.cfm.
Thanks to @lambdacasserole for tipping us off.