CERT have issued a new directive notifying that cookies can be used to allow remote attackers to bypass a secure protocol (HTTPS) and reveal private session information – and that modern browsers, including Apple’s Safari, Mozilla’s Firefox and Google’s Chrome, currently provide no protection against the attack vector. Research indicates that secure sites as important as Google and the Bank of America are vulnerable to the technique.

A ‘cookie injection attack’, as described by Xiaofeng Zheng in Cookies Lack Integrity: Real-World Implications [PDF], can be mounted by man-in-the-middle attackers who set cookies throughout their invasive session. Cookies set in this way can facilitate the disclosure of any private data being transmitted in the session.

This is possible because although cookies can contain a ‘secure flag’ which limits their use to HTTPS connections, the cookie itself has no provenance or chain-of-custody, so there is no mechanism by which it can be determined how it was originally set. The research team behind the above-mentioned paper, cited by CERT in its advisory, claim this vulnerability as significant:

‘We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari). Our successful attacks have included privacy violation, online victimization, and even financial loss and account hijacking. We also discuss mitigation strategies such as HSTS, possible browser changes, and present a proof-of-concept browser extension to provide better cookie isolation between HTTP and HTTPS, and between related domains.’

The feasibility of cookie injection attacks were discussed at the 24th USENIX Security Symposium
in Washington in August.

The major advantage of this approach from the point of view of aggressors is that cookies are able to traverse sites in a manner which practically no other protocol is allowed to do. Network infrastructure is strongly architected against cross-site-scripting, wherein one domain succeeds in gaining access to another domain and altering its content or reading ‘protected’ information. Cookies’ ability to persist information across domains enables them to track users for the commercial ends of sites such as Facebook and thousands of third-party commercial concerns with a vested interest in seeing how users behave across a range of sites, rather than just the site they are currently browsing.

‘Cookies have two fairly unusual behaviors. First, there is a critical disconnection between cookie storage and reading. Cookies are set and stored as a name/domain/path to value attributes mapping, but only name-value pairs are presented to both JavaScript and web servers. This asymmetry allows cookies with the same name but different domain and/or path scopes to be written into browser; a subsequent reader can read out all same name cookies together, yet cannot distinguish them because the other attributes such as path are not presented in the reading process. Another complication occurs when writing a cookie, the writer can specify arbitrary value for the path attribute, not limited by the URL of the writer’s context.’

Both CERT and the Zheng paper advise that HSTS (HTTP Strict Transport Security) be implemented at the server level in order to mitigate the vulnerability. But even with that done, it remains for Apple, Google, Mozilla, Opera and all other browser publishers to prevent subdomains from being used by attackers to generate malicious cookies. The paper warns ‘even if the HSTS policy of example.com specifies includeSubDomains, this will not be checked by a browser if a user only visits bar.example.com unless the page includes a reference to example.com.’

Home