Closed Bug 307440 Opened 19 years ago Closed 19 years ago

Possible Cookie Exploit: cookie for other domain sent to http://ip-num/.other.domain.com/

Categories

(SeaMonkey :: Security, defect)

Product:
SeaMonkey
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: tobias, Assigned: dveditz)

Details

(Whiteboard: [sg:needinfo]) 

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.11) Gecko/20050807
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.11) Gecko/20050807

I got a spoof-mail wanting me to re-register credit card credencials at amazon.
 I got pointed to http://61.233.119.49/.www.amazon.com/amazon/amazon/index.html
                   - for some reason I was recognized with full name, my hunch
is that my amazon cookies are sent to 61.233.119.49 and that this (zombie?)
server then acts like a man-in-the-middle, sending information to amazon.

(I'm very sorry - I don't have time to investigate this better or try to
comfirm/reproduce this locally atm)


Reproducible: Always

Steps to Reproduce:
When I go to that site I'm not recognized even with amazon cookies. The source
of that page looks like pretty standard phishing stuff and of course shouldn't
be seeing Amazon cookies.

Do you still get that effect, or has the page changed? (It wasn't hosting
something like "Quick Buy" link from Amazon itself, was it?
http://www.amazon.com/exec/obidos/dt/assoc/tg/aa/xml/assoc/-/0452283833/stopgettindum-20/privacy/104-9509816-7321547)

If you're still seeing the effect would it be possible for you to capture some
internal cookie data for us and attach it to this bug? Use the "Create a New
Attachment" above to add the data.

To capture a log of cookie data see
http://www.mozilla.org/projects/netlib/cookies/cookie-log.html

These logs can be very very large, it's best if you shut down the browser, set
the environment variables, go right to the site you're capturing, exit the
browser, unset the environment variables (or move the log file right away). If
you leave the environment variables set the log file will be overwritten every
time you start the browser.
Whiteboard: [sg:needinfo]
Sorry to bother; I checked it up a bit closer, it's a frameset, seems like the
frame is pointing to amazon.com.

It took some time from I encountered it until I decided to report it, so I
forgot some "minor" details, from the login page I followed the "forgot
password"-link, and from there I followed the "my account"-link.
Thanks for responding. Pretty standard phishing stuff unfortunately. We hope to
do a better job of warning users in a future version.
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.