
Show HN: A cookie stealer disguised as a GIF image - atum47
https://github.com/victorqribeiro/cookieStealer
======
jsjohnst
Has anyone looked at the code for this? It’s a joke (whether intended as one
or not), it doesn’t really “steal” anything.

~~~
atum47
The image.php file creates and writes a json dump of the request made (where
the cookie is). The stealing part is when you inject the code on random web
site.

~~~
jsjohnst
Except a browser doesn’t send cookies from one random domain to an “image”
hosted on another domain, hence no “theft”. Cross origin cookie rules have
been the same for eons.

~~~
atum47
Well, it worked for me. I was using Moodle in class and the teacher opened a
chat so we can all discuss some project; I realized the chat accepts html and
wrote this script. I hosted it on my website and it worked.

~~~
jsjohnst
I call bullshit unless this class was 20 years ago.

~~~
atum47
Dude, look at this video:

[https://youtu.be/KaEj_qZgiKY?t=181](https://youtu.be/KaEj_qZgiKY?t=181)

~~~
laomona
The cookies from the image domain are the ones that will be sent, not the ones
from the domain that the image is displayed on. Hence, doesn't work unless you
can host your php on the targeted domain

~~~
jsjohnst
Exactly. This is like a script kiddie in the early 2000s on IRC insisting “I
can steal cookies” demonstrating it _on his own website_ and not understanding
that it means nothing.

------
codegladiator
One of the oldest trick in blackhat ?

~~~
atum47
it's a old project. I've been upload all the tools I ever made to git.

~~~
Arnt
If you expect anyone to evaluate your github stuff and care about the result,
then I suggest adjusting your commit dates to reflect reality.
[https://stackoverflow.com/q/454734/fnord](https://stackoverflow.com/q/454734/fnord)
explains how to.

~~~
atum47
Well, it's done. I removed the repo. I spent my entire day yesterday arguing
with people if this works or don't. I found some links proving my point, but
I'm not a expert on the matter, so I give up.

Here's the link about the browser sending cookies with request to external
image:

[https://bugzilla.mozilla.org/show_bug.cgi?id=375238](https://bugzilla.mozilla.org/show_bug.cgi?id=375238)

Heres the link about the video using a similar technique:

[https://youtu.be/KaEj_qZgiKY?t=160](https://youtu.be/KaEj_qZgiKY?t=160)

------
atum47
I have decided to delete this repo. I'm not an expert on security and how each
browser deals with session cookies. Sorry about any inconvenience.

