top | item 46320043

(no title)

jdsleppy | 2 months ago

Doesn't stealing the cookies/token require a non-HTTP-only session cookie or a token in localstorage? Do you know that Discord puts their secrets in one of those insecure places, or was it just a guess?

I believe if you always keep session cookies in secure, HTTP-only cookies, then you are more resilient to this attack.

I interviewed frontend devs last year and was shocked how few knew about this stuff.

discuss

notnullorvoid|2 months ago

In general if a script can run, users sessions and more importantly passwords are at risk.

It's true that an HTTP-only session cookie couldn't be directly taken, but it's trivial to present the user with a login screen and collect their password (and OTP), at which point you can easily get a session remotely. It can look entirely like the regular login page right down to the url path (because the script can modify that without causing a page load).

socketcluster|2 months ago

Yep, httpOnly cookies just give the hacker a bit of extra work in some situations. TBH I don't even think httpOnly is worth the hassle it creates for platform developers given how little security it adds.

drewvlaz|2 months ago

Wow did not realize a url could be set like that without promoting a page reload...

jonfw|2 months ago

How do you modify the url exactly?

giancarlostoro|2 months ago

No because Discord auth tokens dont expire soon enough. The only thing that kills them is changing your password. Idk why Discord doesnt invalidate them after some time, it is seriously amateur hour over there and has been for a while.

seaal|2 months ago

Probably because the end user hates login in, my friends always complain about the “remember me” button being useless for some services.

ddlsmurf|2 months ago

if you set the cookier header right (definitely not always the case), this is true, but the javascript can still send requests that will have that cookie included, effectively still letting the hacker use the session as the logged in user

collinmanderson|2 months ago

with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it.

hackermondev|2 months ago

Discord puts the authentication token in local storage

edoceo|2 months ago

Is that a problem on its own? It's like, encrypted right? Maybe a time sensitive token?

s_ting765|2 months ago

You may be thinking of CSRF mitigations. XSS exploits are more dangerous and can do more than steal sessions.

z3t4|2 months ago

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

abustamam|2 months ago

As a FE dev, I wouldn't be able to articulate what you just did in the way you did, but it is something I know in practice, just from experience. I don't think any of the FE courses I took tackled anything like that.

j-krieger|2 months ago

Token stealing hasn't been a real danger for a decade now. If you don't mark your token's as non-HTTP you're doing something explicitely wrong, because 99% of backends nowadays do this for you.

collinmanderson|2 months ago

with http-only they can't _steal_ the cookie, but they can still _use_ the cookie. It reduces the impact but doesn't fully solve it.

netdevphoenix|2 months ago

Surely, if a script is in a position to sniff the cookie from local storage, they can also indirectly use the http-only cookie by making a request from the browser. So really not much of a difference as they will be taking over the account

Aldipower|2 months ago

The cookie storage and the local storage by all means is not the same! Cookies are not stored in the local storage and could be httpOnly, so they are not directly accessible by JavaScript. Nevertheless, as described above, with this XSS attack it is easy to bypass the token and just steal the user credentials by pretending a fresh login mask keeping the origin domain intact. That's why XSS attacks are dangerous since existence. Nothing new actually.