1

I was reading an article on how to sniff network packets. (of course for knowledge purposes only). I came across these particular lines.

For instance, say I was sniffing traffic on the network, and you logged in to Facebook and left the Remember Me On This Computer check box checked. That signals Facebook to send you a session cookie that your browser stores. I potentially could collect that cookie through packet sniffing, add it to my browser and then have access to your Facebook account.

So, assuming my Linux client is compromised and am unaware of it currently, does that mean if I have clicked on remember me on this machine to login to my accounts, my personal details are compromised? How can the compromised machine's cookie information can be used in any hacker's browser?

Gilles 'SO- stop being evil'
  • 829,060
Ramesh
  • 39,297

3 Answers3

5

If the machine is compromised, everything you typed in when logging in (such as your username and password) can be compromised, so "Remember me" doesn't really matter anymore.

But even if we stick to cookies only, the hacker can extract the session cookies from the browser's profile and then use them in his browser.

Example : Firefox stores all its data in ~/.mozilla, the hacker can just copy that folder to his system and put it in place of his own profile folder, and when he uses that browser with your profile folder, all websites will think that it's actually you (except some websites that also look at the user's IP which will be the attacker's one, sadly not many sites offer that feature).

0

If someone is sniffing traffic on your LAN and you access Facebook, thanks to Edward Snowden exposing NSA, your connection to Facebook will be encrypted using HTTPS and the third party won't be able to see anything useful from your session. In the Post-Snowden era, the majority of Internet services enable HTTPS connections by default to prevent NSA from being able to vaccum up the world's Internet traffic and pilfer your emails.

Creek
  • 5,062
0

The "Remember me" option just creates a session cookie which the service (Facebook for instance) will be happy to accept "forever". Nowadays almost all services work by generating a session cookie which the client (your browser) will transmit over and over again during the session. So, the "remember me" option actually "only" tells the service/server to keep accepting that newly generated session cookie forever.

If you don't select it, the service will "drop your session" (aka "log you out", and technically "stop accepting you session cookie") after some inactivity time, say something between 10 minutes (online banking services) and several hours.

As other people say, "remember me" should not make a big difference if somebody is sniffing your traffic, because you should be connecting through httpS in any case... And if you use plain unencrypted http, the man in the middle would just sniff your username/password anyways, session cookies don't make a difference! So I don't think that the statement in the quote posted in the question really points at the right problem.

And if somebody hacked your PC, as others said, you have a much bigger problem than persistent session cookies!

Two other cases to mention: if you sometimes leave your computer unattended with no "screenlocker" protection, using the "remember me" option means that you will be logged in your account immediately when you visit the page... but if not and your browser remembers your passwords you are in the same situation.... Or if you use "remember me" in a computer you don't own, like a friend's computer or an internet cafe (but that is technically identical to the 'hacked PC' case anyways :).

IMHO the biggest actual difference in using the "remember me" option, is that by being permanently and constantly logged in your (Facebook for instance) account, you provide web-trackers in other pages (say when you visit some news site) with perfect and continous tracking information! Facebook and advertising companies are extremely happy with you!

Ariel
  • 1,050