Hi, I've recently noticed that it is possible to change the value (and name) of HttpOnly cookies in Firebugs new cookies tab. Surely this opens up a new security loophole for hackers to take advantage of???
For example consider the following scenario: - The user has a piece of spyware on their machine. - This spyware feeds back information about what sites they visit and the cookies set by that site to the hacker. - At some point the user logs in to a site with a session timeout of 1 hour. - Even if this site depends on a random security key (stored in a cookie) which changes on every page, at some point the user is going to leave a page open for a while whether they're away from their computer or reading a long page. - If the hacker grabs the session ID and security key in time, and changes them on his machine, they are now logged in as the user and on going to the site they will log the user out (as the security key is now incorrect on the users machine). Does anyone else see this as a major security flaw? Is this by design or a bug? Anyone come up with a way to prevent this? The only I can think of is to use the IP address too but then that's easy enough to spoof. Regards, ClarkeyBoy -- You received this message because you are subscribed to the Google Groups "Firebug" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at https://groups.google.com/forum/#!forum/firebug
