-2

For example, if a website stores your username and passwords in cookies when you select the "keep me sign in" option, can plugins read the cookies when you access the website?

frosty
  • 2,559
  • 8
  • 37
  • 73

2 Answers2

1

Browser plugins like EditThisCookie can read cookies from the website you're visiting. Cookies are basically small text files containing a small amount of information, for example preferences, session cookies and such.

Let's take a look into the source from the plugin i've mentioned in my answer. The source contains a lot of code to get all cookies and match the URL with the specific cookie. Also I found this in the source: chrome.cookies.getAll(). This function can read all the cookies stored in your browser.

Take a look at the snippet i've copied from the source:

chrome.cookies.getAll({}, function(cookieL) {
    for (var x = 0; x < cookieL.length; x++) {
        var cCookie = cookieL[x];
        if (filterMatchesCookie(filterURL, cCookie.name, cCookie.domain, cCookie.value)) {
            var cUrl = (cCookie.secure) ? "https://" : "http://" + cCookie.domain + cCookie.path;
            deleteCookie(cUrl, cCookie.name, cCookie.storeId, cCookie)
        }
    }
});

So to answer your question: yes, plugins can read your cookies.

node_modules
  • 4,790
  • 6
  • 21
  • 37
  • So if plugins can read our cookies then how is it safe for websites to store our passwords in cookies? – frosty Sep 15 '18 at 19:56
  • 1
    @frosty Websites should **never** store passwords in cookies. – node_modules Sep 15 '18 at 19:57
  • But wouldn't they have to if they have the "keep you sign in" option? As far as I know SESSIONS expire when you close your browser. – frosty Sep 15 '18 at 19:58
  • 1
    @frosty I think you're mistaking tokens with passwords. Websites who offer `keep me signed in` options, make cookies with (encrypted) tokens. – node_modules Sep 15 '18 at 20:02
  • What's the difference? – frosty Sep 15 '18 at 20:02
  • And if they make cookies with tokens, does that mean plugins can't see the password? – frosty Sep 15 '18 at 20:03
  • @frosty Passwords should be stored **encrypted** in anytime, where no one can see them, not in cookies, not in plain text files, not in your browser's localstorage, but safe in a database. Tokens is just a string of random characters, identifying the user. However someone can steal tokens and uses yours. If a website has a decent security, it can identify the real user using the token cookies. I suggest you to read this question and answer: https://stackoverflow.com/questions/11142882/how-do-cookies-and-sessions-work – node_modules Sep 15 '18 at 20:10
0

Cookies are data, so It depends on who wrote the plugin.

Didn't read it all but it look's like a good intro.

http://anantgarg.com/2012/02/18/busting-the-cookies-and-privacy-myth/

Rabbex
  • 141
  • 1
  • 7