How to find out who touched cookies?

3

386DX2014-06-28 19:51:14

Google

386DX, 2014-06-28 19:51:14

In light of a recent question, is it possible to track users from VK who come to the site without their permission?
There are VKontakte and Facebook, after logging in, cookies are created with the possible storage of the user ID.
There are theoretical malicious sites that, through vulnerabilities in the browser, can steal VK and FB cookies and find out which particular person visited the site.
There was an idea that cookies are just text files that are stored in the browser's cache folder.
Therefore, you can find some program that would monitor the reading of cookies from the disk at the time of visiting malicious sites and notify the user.
I would like to put an end to the eternal question of whether the site owner can find out that the user of FB and VK visited his site.
Actually,searches for the specified program that monitors cookies and disk IO.

Sorry if I wrote inconsistently.
@xmdy

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

3

386DX, 2014-07-04
@386DX

I apologize if I asked the wrong question. I needed an answer like this
habrahabr.ru/post/228617

F

FeNUMe, 2014-06-28
@FeNUMe

In major browsers, cookies are stored in the SQLite database, not as separate files. That is, in the case of a regular virus / Trojan on a computer, the maximum you can track is access attempts to this database. In the case of malicious code on the site, you will not be able to track it in any way, because access to cookies will be through standard browser mechanisms and will not differ from legitimate access in any way. IMHO, to track who, when and what cookies accessed, you need to make changes to the browser code, this will not work with a regular addon. As for me, this is a pointless undertaking: HTTP-only cookies have long been invented to combat cookie theft through js, and antiviruses exist to combat malware.

P

Pavel Selivanov, 2014-06-28
@selivanov_pavel

We put an end to it:
- maybe, if FB and VK provide the opportunity to place their buttons and give statistics from them to the site owner, and not anonymous, but with user names
- it is possible if the user leaves a comment on the site using authorization through FB or VK (both provide some - something similar to OAuth)
- maybe using the referer value from the HTTP request. This is if the user went to the site from VK or FB. But he does not recognize the username.
For the paranoid, I recommend Ghostery, there is a fox and a chrome one.

M

Myateznik, 2014-07-04
@Myateznik

The security policy of modern browsers prevents pages from one domain from receiving cookies from another domain. You can determine that a VK or FB user visited the site using the server code by reading the Referer request header.
There is 1 way to read a Cookie (non-HTTP-only) of another domain, but it may already be fixed. If the domains are 3rd level domains, for example: domain1.example.com and domain2.example.com, then both the first domain and the second one get access to the Cookie data of the example.com domain. technically are subdomains of the example.com domain (technically one domain - one site). Hosting providers providing a 3rd level domain can simply delete Cookie data for the 2nd level domain every time they access the server, in our example the 2nd level domain is example.com