In my various wanderings today looked at some cookie resources. Interesting to see questions regarding cookies [Evil Cookies, raised by Iain Wade]in BUGTRAQ so thought would share an address I stumbled across: http://www.cookiecentral.com/ Its a resource about cookies, and the third item on the page happens to be "Cookie Exploit Discovered" Read the article... the following rambling contains my own thoughts and inaccuracies :o) [brief summary: Browsers (not cookie implementation) can be fooled with, by having trailing dots on the domain you are setting cookies for. Various conditions need to exist for it to work. Blah blah.... (exercise/visit to site left to the reader) ] ------------------- In response to Iain Wade > So my questions are these: > a) Why would Netscape Communicator 4.7 accept a cookie like this > (invalid -- only two periods): > .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous > NMN000CDCF833FA08963E9BDBC6CAA59301 Broken implementation in browsers. Details in article. > b) How can this be used by some mass marketing company to turn me into a > number in their systems for sale to the highest bidder? >From my understanding, the evil empire [mass marketing company, government agency, whoever] can send you a cookie UNDER CERTAIN CONDITIONS [read the article, there are several that need to be met] that will be sent to other domains that you are visiting. If it includes some sort of tracking [you are victim X etc], throw in some distributed databases / information gathering, then the potential is limited to scope of imagination. Yet again conspiracy theories are left as an exercise to the reader. :o) > Just because you're paranoid doesn't mean they're not all out to get > you. I checked under my bed, and superglued the closet shut. Anything more serious I'll fill a water pistol up with viniger and aim for the eyes... Cheers, Paul
