[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] Supercookie issues

From: Ángel González
Subject: Re: [Bug-wget] Supercookie issues
Date: Fri, 09 Nov 2012 23:08:26 +0100
User-agent: Thunderbird

On 09/11/12 20:17, Tim Rühsen wrote:
> Am Freitag, 9. November 2012 schrieb Ángel González:
>> I see little reason for concern about supercookies on wget given that it
>> is unlikely
>> to use it for different "tasks" in the same invocation, and cookies are not
>> automatically loaded/saved accross invocations.
>> And for having a supercookie passed in the same run (eg. one website
>> redirected
>> to the other), they are probably cooperating domains, so the supercookie
>> doesn't
>> add much information.
>> You would need to be using --load-cookies and --save-cookies to allow such
>> supercookie spying.
> That's what i use wget. Logging in on a website and accessing my private data.
> One could do that even with one call to wget, so --load/save-cookies is not 
> even needed.
>> The worst case is probably if the cookie file was shared with a browser,
>> or it was
>> taken from a browser (with many cookies unrelated for what is intended) and
>> passed to wget with --load-cookies and wget sent more cookies than
>> expected .
> That is one possibility, but as i said, you won't need --load/save-cookies to 
> be vulnerable. 
Can you provide an example on how you are using wget, that leads you to
you would be vulnerable?
I think you may be misunderstanding something (but perhaps it turns out
it's me
who is wrong!).

Maybe it is most dangerous if you have load_cookies and save_cookies set
in your
wgetrc, instead of passing an appropiate one for each task.

Even then, the case you mention of stealing your private data is quite
hard, as
the to-be-stolen website is very unlikely to use a "vulnerable" domain
(ie. not caught
by the general rules used by wget).

>> Although not too important, it should be fixed, of course. The Mozilla
>> Public Suffix
>> List isn't very simple for reuse, its format is designed for how they
>> use it internally.
> No, the format is easy, clear, understandable und well documented.
> Maybe I didn't say understandable in my first post:
> The code is there and tested
> You just have to call cookie_load_public_suffixes(filename), call repeatedly 
> cookie_suffix_match(domain). Very easy.
I answered without checking, from what I remembered. Reading it now, it
seem quite straightforward to interpret the list. Although perhaps a bit
more complex
to do that efficiently for multiple domains.

I don't know where's that function you mention, I don't see it in the
website. Perhaps
it belongs to your mget?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]