If you had access to someone's computer for 10 seconds, what's the best you could do? Post a funny status on Facebook, tweet a goofy picture, or if you're feeling ambitious, attempt something in Terminal?

Cookie Jar illustrates a major flaw in websites' usage of cookies by decrypting Chrome cookies with Keychain. With Cookie Jar and 10 seconds of access to someone's computer, you can continuously upload all of their user data to your own account. This allows you to go back to your own computer and log in to any of their accounts (including Facebook, Twitter, Gmail, bank accounts, and literally anything else).

How it works: 1) If someone leaves their computer open, access their browser and navigate to www.ckjr.me/[your_username]. The script removes itself and leaves no trace, so you don't have to worry about being caught. 2) Log in to your Cookie Jar account on your computer and select the person you just hacked. 3) Click on any of the account icons to open up a new browser window with their account already logged in. 4) Enjoy ;)

10 seconds of access has never been so dangerous.

Browsers attempt to solve this problem by encrypting users' cookies with the user's password. We found a way around this by decrypting all of Chrome's cookies by taking advantage of unlocked Keychains in Mac OS X's Keychain Access tool. While our demo works on a Mac, the same principle applies to Windows and Linux.

Better yet, we've also figured out a solution. When creating a cookie, websites should also store the user's MAC address and IP. Then when a user begins a new session, verify that their cookie matches their MAC address and IP. This solution allows users to only continue sessions from the same computer.

*Because of the security implications of this hack we have YET to release this to the public, and we'll be demoing on a newly-imaged Mac.

Built With

Share this project: