Community Cookie Logger
Whiteacid posted last month about a community cookie logger script that he had created. This is really no different than any cookie logger, except that this one is designed to be as open as possible so that anyone can use it. I’ve actually thought about doing this before but the liability seems more than I’d like to take on since all those annoyed admins would be coming to me with the feds to get my logs. Noooo thanks.
So that begs the next question, which is now you have to go retrieve those cookies, and what if the site is down, or can’t handle the amount of cookies you are stealing, etc… You need some sort of distributed cookie stealing system. The idea that came to my mind is using open bulletin boards. If the page is already cross site scriptable, you can steal the cookies and forward them to any open webboard anywhere. Chances are it’s also a very spammable board, but maybe that’s okay. Maybe spam isn’t that bad, intertwined with your cookie theft. I don’t know, but it’s an interesting thought.
Obviously you could get around detection on Whiteacid’s site by using proxies, or Tor or something, but I’d still be careful as all of those appear to have holes. Not that I think Whiteacid would exploit those holes, but if the feds ever seized his machines they could easily implement something like the UnAnomyizer that metasploit came out with.
June 28th, 2006 at 1:02 pm
One way to retrieve all those cookies is to have the cookie catcher script dump them all into a db, based on ip or cookie data, so that no duplicates are entered.
Bulletin boards would work too, for a distributed system, but I think anytime you get a few cookies off one of these say, social sites you could also use a proxy, log in as them, and put the cookie catcher code in their profiles or post bulletins with it.
June 28th, 2006 at 2:12 pm
I should let you know that my site is hosted by dreamhost, so if the feds want to read the logs I have no control over that. I log as little as a can, but of course apache logs things, and dreamhost probably log something too.
I do suggest you use tor when accessing your stolen cookies. I will actually add a message to the main page saying this.
June 28th, 2006 at 5:05 pm
That’s good info, it’s not that I don’t trust you, WhiteAcid, that’s not it at all. I just don’t like to HAVE to trust you.
I’m really not the paranoid type, but getting caught for something stupid just isn’t my style.
June 29th, 2006 at 12:23 am
That’s totally understandable and don’t worry, I don’t easily get offended. For those of you who know how to make your own cookie stealers, go ahead, make your own or use my code to make a private one. My project was at first just something to do for a day. Plenty of people use it (and even more try to exploit it).
April 26th, 2007 at 2:39 pm
What happened to your site? It is down.