Chemical Safety Incidents
Cookies can Cause Data Leaks
Wednesday, September 30, 2015 @ 12:09 PM gHale
A vulnerability in cookies could enable an attacker to access private information from HTTPS sessions.
Cookies established via HTTP requests represent a security flaw for HTTPS sessions.
The reason for that is because they do not provide “integrity guarantees for sibling domains,” according to the US CERT advisory.
Web browsers do not always authenticate the domain setting a cookie, which could let an attacker set a cookie that could later end up used via a HTTPS connection instead of the cookie set by the actual site, the advisory said. By exploiting other vulnerabilities in the server, the attacker’s cookie could then get in and gain access to private information.
“A malicious attacker can utilize this to set a cookie that is later used via an HTTPS connection instead of the cookie set by the actual site; for example, an attacker may set cookies for example.com that override the real cookie for www.example.com when the victim is loading HTTPS content,” the CERT advisory said.
Details of the vulnerability released when researchers published a paper at USENIX Security 2015. They said while there are cookies that contain a secure flag indicating it should go out only over an HTTPS connection, there is no flag to indicate how a cookie ended up set. As a result, attackers conducting man-in-the-middle attacks on an HTTP session can inject cookies that can attach to subsequent HTTPS connections.
The vulnerability was in websites such as Google and Bank of America, and affected major web browsers, including Chrome, Firefox, Internet Explorer, and Safari. A solution to the issue would be safer handling of cookies through updating the same origin policy for cookies, CERT said.
To mitigate the attack, CERT advises website operators to deploy HSTS on the top-level domain they control, and to use the includeSubDomains option, which limits an attacker’s ability to set top-level cookies capable of overriding the subdomain ones. End-users should update their browsers to ensure they have full HSTS support, CERT said.