A developer has created a $5 device that can hack into screen-locked Macs and potentially other computers as long as a web browser is left running on the desktop.
Samy Kamkar made a YouTube video showing what happens when his creation hacks into a target computer. Called a "Poison Tap", the device runs on a Raspberry Pi Zero which plugs into a computer's USB port.
Once attached to the locked and password-protected Mac, it hijacks all web traffic by posing as a standard internet connection, after which it sets about siphoning and storing the user's HTTP cookies.
The attacker can then potentially use the stolen cookie data to access websites the user visited and log-in as them without having to enter username and password information.
Speaking to the BBC, Trend Micro security researcher Rik Ferguson said the device was a plausible threat to users who frequently left their computer unattended.
Otherwise, the best solution is for users to ensure they close their browser every time they leave their Mac unattended, or else close it down completely.
Samy Kamkar made a YouTube video showing what happens when his creation hacks into a target computer. Called a "Poison Tap", the device runs on a Raspberry Pi Zero which plugs into a computer's USB port.
Once attached to the locked and password-protected Mac, it hijacks all web traffic by posing as a standard internet connection, after which it sets about siphoning and storing the user's HTTP cookies.
The attacker can then potentially use the stolen cookie data to access websites the user visited and log-in as them without having to enter username and password information.
Speaking to the BBC, Trend Micro security researcher Rik Ferguson said the device was a plausible threat to users who frequently left their computer unattended.
[In normal circumstances] Even when you are not using a web browser it is still making requests and communicating - due to updates or ads. Once the device is plugged in it exploits that communication and steals session cookies from the top one million websites.Two-step verification would be susceptible to the same attack, explained Ferguson, because the device is able to intercept the cookies and pretend it is already in an open session. The only way to guard against such an attack would be for websites to use an encrypted connection such as HTTPS.
Otherwise, the best solution is for users to ensure they close their browser every time they leave their Mac unattended, or else close it down completely.
41 comments
With Apple's new 16-inch MacBook Pro now in stores, we were able to pick one up this morning to take a look at it and provide MacRumors readers with our first impressions on the new machine.
...
Apple's new 16-inch MacBook Pro models are in stores as of today, and iFixit, a site known for its product teardowns, has purchased one and is going to take it apart.
The teardown is...
A parliamentary committee in Germany on Wednesday passed an amendment to an anti-money laundering law that would force Apple to open up the NFC chip in iPhones to competing mobile payment providers,...
Apple today activated its in-store reserve and pickup system for the new 16-inch MacBook Pro in the United States.
This system enables customers to purchase the 16-inch MacBook Pro on...
Apple is removing all vaping-related apps from the App Store today, according to Axios, shortly after the Centers for Disease Control and Prevention reported 2,172 lung injury cases linked to...
Though Apple has not yet come out with a 5G iPhone, the company is expected to lead the 5G smartphone market in 2020, according to a new report today from analytics firm Strategy Analytics.
...
Apple has been struggling to add new subscribers to its Apple News+ service that launched in March, according to a new report from CNBC that cites people familiar with Apple News+.
When Apple...
Apple today released a new firmware update for the AirPods Pro, which were originally released on October 30.
Today's firmware update is labeled as 2B588, up from 2B584, which was the...
