Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: can awebsite steal another website cookie

  1. #1
    Junior Member
    Join Date
    Feb 2009
    Posts
    4

    can awebsite steal another website cookie

    Hi
    im asking if its possible to a website to steal another website cookie from the browser?

    why i see only few posts on the forums although the number of posts is so much ??!!

    thanks in advance.

  2. #2
    Banned
    Join Date
    Jan 2008
    Posts
    605
    If its on a subdomain.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I will answer the second question first. Basically you cannot see all the forums. Some are restricted and some are obsolete given the current site format.

    As for cookies being stolen, I would say that it would be generally possible, but would depend very much on circumstances, as would the significance.

    For example when I log on I get cookies from Google and Yahoo. I don't think that stealing those would be of any value to anyone?

    When I browse the net I pick up cookies that I would consider to be equally valueless.

    My browser is set to only retain cookies for the session and to clear them when I close it.

    When I leave a site that requires a logon, I always log out to close the session. I also close my browser to clear my private data locally.

    If you have closed the session then the session cookie is pretty much useless.

    EDIT:

    I will clarify what I am talking about. I am envisaging that I connect my dial-up or ADSL modem and connect to an ISP.

    I then visit site "A" and pick up a cookie....................I then go to site "B" So that gives us the following:

    1. If I have disabled all cookies then no site can set them or read (steal) them.

    2. If I have specifically allowed cookies for site "A" but not "B" then "B" should not be able to read site A's cookie.

    3. If I restart my browser/clear private data before visiting site "B", then once again there is nothing there to steal.

    4. If site "A" has terminated my session when I left it, then it doesn't matter if site "B" can read it from my browser because it has expired, and won't be accepted anymore.

    5. Where I have a secure logon and leave the session open, it should still be protected by the site as it shouldn't allow more than one active session for the same user.
    Last edited by nihil; February 23rd, 2009 at 07:57 AM.

  4. #4
    Junior Member
    Join Date
    Feb 2009
    Posts
    4
    thanks for reply
    i mean if both sites cookies still alive not expired
    can any one of them steal the cookie of the other ?

  5. #5
    Banned
    Join Date
    Jan 2008
    Posts
    605
    I remember some six or seven years ago...

    I had found out that alot of the crappy scripts JP put on the site didn't consistently need "cookies". Alot of the junk he put up could be parced straight through a single URL. So what happend was I put up a URL in my signature that forced everyone to Neg another user.

  6. #6
    Junior Member
    Join Date
    Feb 2009
    Posts
    4
    thanks for reply
    i mean if the user in logged into yahoo and enter another website
    can this website steal yahoo cookie?
    thanks.

  7. #7
    Banned
    Join Date
    Jan 2008
    Posts
    605
    If there is something completely wrong with you're browser... then yes.

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    macnux: Do some reading on the Same Origin Policy (http://en.wikipedia.org/wiki/Same_origin_policy). Essentially a website would have to violate the Same Origin Policy in order to access your cookies. Does this happen? Sure... Do some googling and you'll find lots of cases of vulnerabilities in browsers that have allowed people to bypass the policy over time.

  9. #9
    Disgruntled Postal Worker fourdc's Avatar
    Join Date
    Jul 2002
    Location
    Vermont, USA
    Posts
    797
    Sites can borrow cookie information

    How is possible that if one visits the weather channel enters his postal code to get the weather then the next site he goes to can guess his locality.

    Try it some time, get the weather then visit some porn site and find out that single women in yourtown want to meet you.
    ddddc

    "Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot

  10. #10
    Banned
    Join Date
    Jan 2008
    Posts
    605
    Most ads like that sift through results in whois databases.

Similar Threads

  1. Website Administration
    By jethro in forum The Security Tutorials Forum
    Replies: 4
    Last Post: August 9th, 2006, 10:13 AM
  2. Multiple Browser Cookie Injection Vulnerabilities
    By Spyder32 in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: September 18th, 2004, 10:14 AM
  3. About Cookies
    By Szafran in forum AntiOnline's General Chit Chat
    Replies: 3
    Last Post: September 13th, 2003, 04:21 PM
  4. Cookie Tut
    By er0k in forum The Security Tutorials Forum
    Replies: 0
    Last Post: February 3rd, 2003, 03:23 AM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •