Something like accessurl: how secure is it?


#1

Encrypt a cookie, send it over to a friend, use a password in the URL to decrypt it, friend gets to use cookie to be logged in as you?

The creator's explanation in their own words: https://www.producthunt.com/posts/accessurl#comment-354414

Aren't there domain-matching things with cookies? Can you really just pass them around? What could go wrong / is this easy to break?

The cookie .... is storing some way to get to your session on the server.... so if your friend gets a copy of the cookie you had in your browser... that cookie is still just the same cookie.... then yeah I guess that would let you just pop into the session. Hmmmm..... Lookin' for other angles xD


Passman, password vault for Nextcloud
#2

It may be helpful to ask a different question than how secure it is. It can be made secure, but it may not be a smart thing to do.

To start, it is possible to move cookies around. Consider upgrading your browser: you are replacing the binary which references a configuration file and all the rest, including cookies. It would be the same as if you copied your cookies to another user account or computer, they would all work more or less the same.

Now, that doesn't mean it works in all situations, but that is up to the website in question. For the most part cookies are set with an expiration, and it gets updated from use, so if seems like you just stay logged in. It is a nice user experience for something like a social network. Compare to a banking site, which hopefully clears out that authorization in a very short time frame.

You should not share your account with other people. If it makes more sense to share your account with a person than they have their own, the thing should be changed to make it better for humans.

Yes. It is susceptible to phishing and other weird attacks. Not the easiest if it is served over an encrypted connection, but phishing isn't a sophisticated method.

From one of the makers:

Then, when another user goes to your access URL, the chrome extension
takes the password from the URL (which is what shows up in the #), it
decrypts the cookies, and then adds them to Chrome's cookie jar.

Two things stand out for me:

  1. You'd need to share the link securely. Anyone reading it will be able to decrypt the cookie. It is probably okay in many instances, if you don't mind handing your login info (from the cookie) over to the provider of the messaging platform you are using. Security Aside℠: if you share that link over jabber the operator of the server can probably read it; so if you don't trust them, use OTR or OMEMO for the strongest privacy.
  2. As soon as your friend clicks on the link that includes the password used to encrypt the cookie the extension operator has it. I wouldn't trust them, got no reason to, but a lot of reason to not trust them with login cookies. Also, their server can be compromised, by a cracker or subpoena, which in turn gives a bad actor your login cookie.

That is for the actual tech behind the transactions. Additional concerns are people sharing the wrong cookies on accident, or using services that don't ask for verification before changing credentials, thus allowing your friends to change your password.

@tim, you build webapps from scratch, anything else going on there?


#3

From a developers point of view, this could be a problem. Often times there might be more than one cookie set for a user for a specific site, for whatever reason. It's assumed the cookies are set by the site, not passed about. Of course you'd have security in place against spoofed cookies, but I could see potential weird behavior when someone else is using a cookie the site set on another machine.

And in general..my chest just kept constricting the more I read the authors description.

This stores EVERYONES cookies in one place, this persons server. They didn't disclose how he encrypted them, but even if they did everything right, what if there is some accidental logging, or something? There are just too many possibilities where this could go horribly wrong.

This is basically storing your credentials on another persons server, and trusting they are managing things correctly. The only company I'd do that with is 1password, and that's because they are insane about security.


Secure Your Shit | Half-Elf on Tech
#4

Thank you for #lazywebbing me xD


#5

What about https://www.lastpass.com/ ?


#6

I wouldn't trust any closed source vault (including 1password), but in regards to LassPass, look no further than its security failures (well, the known ones).

I use KeePassX, a sibling project to KeePass, both excellent desktop apps. Nearly all my passwords are a minimum of ~20 characters.

For sites I log into via mobile devices I use long passphrases (see xkcd comic on the subject, or generate yer own!) and 2FA.

Keeps life simple and secure. ^_^


#7

Ditto to this! https://www.google.com/amp/www.pcworld.com/article/2936621/the-lastpass-security-breach-what-you-need-to-know-do-and-watch-out-for.amp.html?client=ms-android-google


#8

Ew! @tim shared a Google AMP URL!

Here's a :shamrock: because it comes up when searching for a shame emoji!

/me makes note to create plugin that automatically adds :shamrock:s to AMP URLs in Discourse...


Finding a candidate AFTER figuring out the issues
vTaiwan: participatory democracy
#9

Aahh what have I done??!