Cookie Stealing - Computerphile 

This guy has forgotten more about computers than I'll ever learn

Shouldn't this video be called "Biscuit Nicking"?

Dr. Pound is really good. I want more videos from him.

This guy and Tom Scott are my 2 favorite people on Computerphile. I just wish Tom still made videos on here.

I hate you guys. I have stuff to do, it's almost midnight and I keep on watching your so very interesting videos.

I love these videos that you and Tom Scott do here on Computerphile with ways people can and do hack websites while providing LEGAL examples. I would really like it if you and Tom Scott do more of these.

11:37 It might be worth emphasising here that the reason this works is because the script specifically read the contents of the cookie and included it in the URL parameters for the image. Normally the browser will not send cookies intended for one site to a completely different one.

When I explain session ID's to other people (who usually couldn't care less), I always explain it like this; There are "blind guards" to "doors" in a webpage. At the front of the website there's someone who asks for your secret password, you tell them the password and they give you a special badge with Braille on it. You walk into the website and when you feel like going to another "room" (page)...you walk up to the guard and they grope you and say "oh well...you MUST be that person or they wouldn't have let you in, so I'll show you the stuff that only you are suppose to see"......the problem is when someone else makes a copy of that badge...the guards can't tell the difference. Then I go on about cross-site scripting until they go cross-eyed and then I install the NoScript browser extension for them cause they said "I don't care "how" it works...just make it so they can't do it.

I'm so out of the loop. I didn't even realise this was possible in this way.

Computerphile drinking game. Take a shot every time he tugs on his sweater.

Upvote for that blog alone.

Might also be worth mentioning the HttpOnly flag for cookies here. I mean, obviously if you're vulnerable to XSS that's a serious problem regardless of what other security measures you've taken to protect users, but at least with HttpOnly set the JavaScript won't be able to steal cookies.

Don't get ghostery... It's owned by ad targeting companies.

For anyone thinking about pinning an IP address to a cookie, don't. Not only does it change if you move to new wifi network, it changes if you move between wifi and mobile, if you move between cell towers, if you're on public transport which offers free wifi and some ISPs even use a different IP address for every request (albeit usually South East Asian dial up connections). I've had people complain that they couldn't log in to a website before because their IP address changed between submitting a login form and getting the response back. Also, if you really want to secure yourself from SQL injection you should use prepared statements, ideally with stored procedures, and never adjust the base query at all. Escaping is not generally good enough to stop more advanced attacks.

I steal my grandma's cookies all the time. Much easier than the way you do it. I just reach into the jar.

There are lots of complicated and simple methods that you can implement between IP locking the cookie and nothing. Been a while since I had to develop a web app, but a common technique I would use would be that every time a request is made a new session ID (or a secondary ID) is generated and the last one is invalidated. This will mean your session ID keeps changing, reducing the size of each attack window and if your cookie is stolen and used when you next request with the cookie the attacker has invalidated, it can invalidated both sessions and notify the end user/server administrator that there has been a potential security breech. It doesn't stop the attacks completely but its a nice technique to make it harder and notify a user of the issue.

alert("Just testing... :P")

It would be awesome if you could provide your test website codes so one could try out for themselves and follow along Thanks for the awesome content

4:02 "Your blog is bad, and you should feel bad." Futurama reference.

I actually heard a story of the valve steamworks not being protected against XSS which would allow a rogue developer to put HTML tags in the description of their app description and steal the cookies of any valve administrator visiting the info of his app.

Mike Pound is my favorite Computerphile host

0:49 Requests 1:50 Cookies 2:42 Stealing 3:30 XSS

Fantastic video!! I already knew all this stuff but still very enjoyable to watch. More web dev stuff please!

god bless this man. what a legend

That's still vulnerable to sql injection, because you used mysql_real_escape_string, instead of mysqli_real_escape_string. The i stands for "improved", so obviously that's the one we should use. The other one has some subtle bugs, mainly character encoding ones.

Thank you for always providing clear content Mike

I love MIke Pound's videos!

"I get back an image and I think nothing's gone wrong but they've now got my cookies" scariest words.

Trading a browser cookie for a photo of the Cookie Monster? Seems like a fair trade to me! 🤣

so over my head, but nice to have an inkling of what it means!

Looked up ghostery as soon as you mentioned it and installed it to both browsers I use. Thanks!

Better not steal my cookies

This is how Linus got hacked

One thing that would be nice in these videos, imo, would be simplest ways in few words, how to defend yourself from most known exploits for new Web developers, uni students etc

I remember when Facebook didn't require https for their mobile site. Soo many users details were visible in my school when I fired up FaceNiff or Firesheep. (ARP poisoning, traffic sniffing, cleartext cookies)

you should do a video on Content Security Policy (CSP) and show how it can be used to protect against these types of attacks when having to use 3rd party applications which you may have little control of how they did their security.

Great video and explanation. However, it would be nice to have a section on how to protect yourself from XSS.

Ghostery itself does tracking. It's pretty messed up.

Why did they choose the name "cookie"?

This video seems like it might transition into a video about CSRF pretty well.

You guys should do a series on stuff like this and how to try and prevent it. Since not too many people realise stuff like this especially when they begin coding - even Twitter has this happen not that long ago. I see how you show how it’s done, but you didn’t show how to prevent it ( an easy way that I use, is replace all angle brackets with the HTML code for it - it’s an ampersand and some text - now it won’t be valid HTML ). Heck, maybe even videos on how to secure your server itself.

:( Use the mysqli interface or PDO and prepared statements - do not use mysql_real_escape_string() any more. Come on Mike.

the interviewer really sounds like the guy from sonicstate. I always thought Brady was doing the interviews...

It seems like a bit of a contrived example. Nicely explained, but I'd like to know whether this actually happens, how often it happens and how trivial it is to prevent it.

An alternative to XSS and often used in Spam emails, is Clickjacking. Look it up if you're a web dev, or perhaps a video on this would be nice +Computerphile

When he said, "Can I change the shipping address?" a FedEx truck passed by my house o_o

Thank you As far I am aware, if an attacker will gain the session ID he won't be able to use it again because it was already used by the original user.

Reauth when performing important tasks is one method of hardening security. Another might be to challenge again if geoip logs detect impossible travel (i.e. it suddenly looks like you're on the other side of the world or, at least, a completely different Autonomous System).

Great explanation about this issue. Thank you very much.

RU-vid is Smarter Than That

Very interesting and eye-opening videos, pedagogically told. Simply great.

Who is this guy? He is the coolest one to tell about computers at this channel, the videos about computer vision are totally amazing and this one was great too despite I've known all the information long before I've seen it. But if I need to tell someone what "XSS" is, I will definitely give the link to this video

I steal cookies from myself all the time due to my employers blasted authentication policies. We started using Azure DevOps, and they require you to authenticate via their ActiveDirectory, which only works on the company intranet. However, this is just for authentication; DevOps traffic isn't controlled in any way. And since all consultants work on their own machines, I didn't want to have to switch to company computer to use Azure DevOps, so I downloaded a Chrome cookie session plugin that lets me dump a session after I've validated on the company computer, and load those cookies up on my own machine, and bam: I'm in Azure DevOps on my own machine. :D

Why server does not use an IP address instead of cookie when it wishes to track clients requests and let's say shopping card? Because server can see only external IP address and can not see a local address of device. Is it the reason?

I love that he’s using MariaDB

mysql_real_escape_string() is deprecated!

oh man why do so many good videos come out after midnight

Even a "myimage.jpg" can perfectly be a php file (or any other scripting language, fwiw). The "file extension" concept have no place in HTTP protocol, so the browser doesn't actually know if "image.jpg" is an image or anything else named like that (including a folder). It doesn't even have to exist on the server, as you have multiple configuration options for your routing and rewriting of the request paths once the request hits the server.

Really amazin So well described So exciting

People seeing this image might not realise what just happened... A part it's a cookie monster.

Is it possible to use a similar concept to hijack someone else's toolbars/browser add-ons? I've heard of manipulating or tricking a user's browser to open a blank toolbar. This toolbar runs a script that allows you to access the user's local drives/files. Though I'm not sure it's seemless (not a true remote session). It seems strange that it would be possible but I can confirm I've seen it happen.

Waiting for CERN's vpm

BRUH this guy really knows his stuff wow.........makes me wanna drop electrical and pick up programming/coding

Okay, someone was telling me to not to store token in localstorage. As I'm watching this, things are not quite different tbh

That's exactly why cross origin resource sharing policies exist.

Lots of PHP frameworks will now change your session ID on each request (while keeping the data associated to the new ID), this prevents these types of attacks as the ID that gets stolen is immediately invalid

7:14 Code like that, takes me waaay back 😂

Put that cookie down, now!

It’s scary how easy doing these sorts of things are sometimes. If I recall, however, XSS attacks aren’t nearly that much of a threat because because of SSL. The request is private, and you’d have to forge the certificate, which is nearly impossible. Do I understand correctly?

Very clear! Read more books though!

Excellent breakdown.

Can you get this guy to explain software models, functions, attributes … I understand so many things for the first time when he is explaining it.

Curious how many folks will now try XSS here in the YT comments now. ;) alert('Weyhey!');

crosseyed what? awesome, thanks

I have seen an article that mysql_real_escape_string() is still open to SQL injection. That is why it's best to use PDO

This would be good to go through if your going to take your Comptia Security + test

Mike, Ghostery is fine, but if you really want to have control over what the websites you're visiting do with your computer, I'd recommend tools like uBlock Origin, uMatrix (which is awesome!), NoScript and of course self-destructing cookies. RequestPolicy however is obsolete if you set up the "u-Addons" (uBlock/uMatrix) accordingly, because they can be set up in such a way that no cross-site-requests are being followed. Of course, most websites don't work in that setting, but then you can allow individual FQDNs (in uBlock Origin) and what is allowed to be loaded from an individual FQDN (in uMatrix), and in such a way websites can display their content, but don't execute the script that is intended to detect a tracking blocker, and so on.

very nice videos, computerphile, keep the good job

hey test

Spot the Parker cube!

BUT... Amazon has now forced Instant Transactions on customers which bypass pre-transaction authentication. Is Amazon now unsafe, or do they gave alternative cross site scripting safety measures against hackers posting reviews, comments and Amazon Marketplace listings?

Who stole the cookie from the cookie Jar?

NO IT'S NOT A COOKIE! IT'S AN ORANGE! *IT'S AN ORANGE!!*

03:46 shows a Samsung subnotebook with a TrackPoint. Which model is it? I really need my TrackPoint, because TouchPads are crappy to use and whenever I have to use them, I feel the need to smash the machine against the wall. So what laptops are there that have a TrackPoint - except for Lenovo ThinkPads, of course??

Cookies need love like everyone does

test

Great video. I already know all this but know; PHP Sessions and Cookies are WAY different. Just like LocalStorage.

Seems like camera man is doing sting operation of Dr Pound

Now do CSRF :D

This takes me back to redirecting quest books.

You are a crafty man thanks for the lesson..........

Is that code still vulnerable to SQL injection? I thought it should be using prepared statements and enforcing UTF-8?

You used to be able to do this on Neopets, they used it for this, but they also used it to put silly pictures in post that shouldn't normally let you do it. People are funny sometimes.

Install what? I couldn't make out what you suggested people install at the beginning of the video.

Right at the start you recommend installing an app to stop cookies 'tracking our whereabouts' but I couldn't understand what you said. Ghost something?

This is why good programmers should always sanitize client strings to prevent XSS attacks.

Excellent video

Am I understanding this correctly or am I missing something? The script that he sent is now a permanent part of the website as it will be loaded from the database as soon as a user requests to view the blog entries. When the script is loaded, the client will run it and send their cookie to the attacker's website. The user doesn't need to do anything other than load that blog post in order to send off their cookie?

alert("probably didn't work")

alert("Attak you!")