SURF JACK: Even HTTPS will not save you

by AJ on August 11, 2008

There’s a new security tool that Surf Jack that allows one to hijack HTTP connections to steal cookies – even ones on HTTPS sites. Works on both Wifi (monitor mode) and Ethernet.

Here’s a proof of concept to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag.

Surf Jacking Gmail demonstration from Sandro Gauci on Vimeo.

It’s really a scary to see that even Gmail was vulnerable before to these types of attack. So, how about Yahoo Mail? And what more if you use Hotmail Live? Makes you really think if there is such thing as 100% security nowadays.

Popularity: 1%