If you use Gmail, eBay, MySpace, or any one of dozens of other web-based services, the United States Computer Emergency Readiness Team wants you to know you’re vulnerable to a simple attack that could give an attacker complete control over your account.
Five weeks after we reported this sad reality, US CERT on Friday warned that the problem still festers. It said, the world’s biggest websites have yet to fix the gaping security bug, which can bite even careful users who only log in using the secure sockets layer protocol, which is denoted by an HTTPS in the beginning of browser address window.
US CERT warned that Google, eBay, MySpace, Yahoo, and Microsoft were vulnerable, but that list is nowhere near exhaustive. Just about any banking website, online social network or other electronic forum that transmits certain types of security cookies is also susceptible.
The vulnerability stems from websites’ use of authentication cookies, which work much the way an ink-based hand stamp does at your favorite night club. Like the stamp, the cookie acts as assurance to sensitive web servers that the user has already been vetted by security and is authorized to tread beyond the velvet rope.
Internet, Web, Security, Vulnerability, Hack, Hackers, Hacking, CERT, US