Cookies can Cause Data Leaks

Wednesday, September 30, 2015 @ 12:09 PM gHale

A vulnerability in cookies could enable an attacker to access private information from HTTPS sessions.

Cookies established via HTTP requests represent a security flaw for HTTPS sessions.

URL Shorteners as Attack Vector
Age of New and Different
Breaking with Tradition: Secure ICS Hits Industry
German Steel Mill Attack: Inside Job

The reason for that is because they do not provide “integrity guarantees for sibling domains,” according to the US CERT advisory.

Web browsers do not always authenticate the domain setting a cookie, which could let an attacker set a cookie that could later end up used via a HTTPS connection instead of the cookie set by the actual site, the advisory said. By exploiting other vulnerabilities in the server, the attacker’s cookie could then get in and gain access to private information.

“A malicious attacker can utilize this to set a cookie that is later used via an HTTPS connection instead of the cookie set by the actual site; for example, an attacker may set cookies for that override the real cookie for when the victim is loading HTTPS content,” the CERT advisory said.

Details of the vulnerability released when researchers published a paper at USENIX Security 2015. They said while there are cookies that contain a secure flag indicating it should go out only over an HTTPS connection, there is no flag to indicate how a cookie ended up set. As a result, attackers conducting man-in-the-middle attacks on an HTTP session can inject cookies that can attach to subsequent HTTPS connections.

The vulnerability was in websites such as Google and Bank of America, and affected major web browsers, including Chrome, Firefox, Internet Explorer, and Safari. A solution to the issue would be safer handling of cookies through updating the same origin policy for cookies, CERT said.

To mitigate the attack, CERT advises website operators to deploy HSTS on the top-level domain they control, and to use the includeSubDomains option, which limits an attacker’s ability to set top-level cookies capable of overriding the subdomain ones. End-users should update their browsers to ensure they have full HSTS support, CERT said.