No, the cookies are how the browser is logged in to google. No ... • Aaron Parecki

Photo - “Wear a damn mask” - Joseph https://twitter.com/photojoseph • Sep 10
And the browser cookies had the passwords stored in a way that was readable?!

No, the cookies are how the browser is logged in to google. No passwords needed, 2fa doesn't matter. I'm thinking I might need to make a video on this.

Portland, Oregon • 68°F

Thu, Sep 10, 2020 7:08am -07:00

2 likes 9 replies
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  I just might do that haha. The shirt i'm wearing today says "I find your lack of security disturbing"
  
  Thu, Sep 10, 2020 3:57pm +00:00 (via brid-gy.appspot.com)
- Photo - “Wear a damn mask” - Joseph twitter.com/photojoseph
  
  WOW. You should put that on a Tshirt. “IT Security… it’s best if you don’t think about it”
  
  Thu, Sep 10, 2020 2:52pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  tbh it's like the "security" involved in writing checks, it's best if you don't think too much about it
  
  Thu, Sep 10, 2020 2:35pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  The browser doesn't have access to the MAC. Google *could* (and probably is) checking the IP address, but it's all heuristics because your IP address may change at any time, e.g. cell phones have very unstable IPs, hop in a plane and land with an IP from another country, etc.
  
  Thu, Sep 10, 2020 2:34pm +00:00 (via brid-gy.appspot.com)
- Photo - “Wear a damn mask” - Joseph twitter.com/photojoseph
  
  And the cookie doesn’t verify the machine it’s on? You’d think it’d only work if the MAC address and IP address were a match. This seems so very insecure.
  
  Thu, Sep 10, 2020 2:31pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  💯 There aren't really any other tools browsers can use for this right now. The process of logging in looks like basically: you type your password in google, google gives you back a cookie, your browser makes a request with that cookie and the server knows who it's for.
  
  Thu, Sep 10, 2020 2:25pm +00:00 (via brid-gy.appspot.com)
- Photo - “Wear a damn mask” - Joseph twitter.com/photojoseph
  
  That is CRAZY that all you need is the cookies to access any account — especially a google one! So if I just sent you my cookies folder… you’d have access to anything I was logged into?!
  
  Thu, Sep 10, 2020 2:22pm +00:00 (via brid-gy.appspot.com)
- Aaron Parecki twitter.com/aaronpk
  
  Interestingly that doesn't even matter for this since it wasn't the "normal" phishing style attack. Don't open files you download is the only safe thing, or open them on a machine that isn't logged in to anything. That obvs isn't practical, so it's a lot harder in practice.
  
  Thu, Sep 10, 2020 2:15pm +00:00 (via brid-gy.appspot.com)
- Gary twitter.com/every_daydad
  
  So would have two separate email accounts help? One solely for the YouTube channel, and one for business in case of a malignant file?
  
  Thu, Sep 10, 2020 2:13pm +00:00 (via brid-gy.appspot.com)

Posted in /replies using indigenous.abode.pub/ios