Newfangled cookie attack steals/poisons website creds

Google, Facebook risk

The Essential Guide to IT Transformation

A security researcher has discovered a weakness in a core browser protocol that compromises the security of Google, Facebook, and other websites by allowing an attacker to tamper with the cookies they set.

The weakness stems from RFC 2965, which dictates that browsers must allow subdomains (think www.google.com) to set and read cookies for their parent (google.com). The specification also states that if a cookie for a subdomain doesn't already exist, the browser should use the cookie belonging to the parent instead.

The arrangement makes it possible for attackers to steal or even alter the cookies that websites use to authenticate their users. Attackers would first have to identify an XSS, or cross-site scripting, bug in some part of the site they are targeting. But because virtually any subdomain will suffice, the scenario isn't unrealistic, two web security experts said.

"Most websites actually will store session IDs in a cookie and that's actually how they keep track of users throughout the use of their website," said Mike Bailey, a senior researcher for Foreground Security who first documented the flaw at last month's Toorcon hacker conference. "Using the same techniques to attack those cookies, I can really damage sessions and cause some problems."

Bailey's paper goes on to demonstrate how he used the technique to bypass a feature Google recently implemented to beef up security on Gmail and other properties. By exploiting a minor vulnerability in sites.google.com, he was able to falsify the contents of his global Google cookie. Google has since fixed the XSS hole in the subdomain.

In turn, that allowed him fool the Google protection, which checks to make sure the value in the cookie matches a hidden parameter of the login page.

Bailey lists several other sites that have been known to be vulnerable to similar attack techniques. Using an XSS hole on www.advertising.expedia.com, he found it was possible to poison the global cookies for the entire expedia.com domain. Because the site didn't set the cookies with proper escaping, an attacker could have used the weakness to inject malicious javascript into expedia pages.

Chase.com, capitalone.com and chasevisasignature.com either are or were vulnerable to similar attacks because they shared code with images.bigfootinteractive.com, which was vulnerable to XSS exploits.

Bailey said it's not hard to imagine university websites would be vulnerable to such attacks because the domain names frequently use names such as psychology.school.edu, geography.school.edu and so forth. A single bug in a student-maintained computer science project might be enough to compromise personal data stored on the college's student enrollment server, he said.

Websites can guard against attacks by regularly checking their pages for bugs, but because the attack exploits the way browsers are supposed to handle cookies, a more comprehensive fix will probably require a change to the underlying protocols. Which means this attack will probably be around for a while to come.

The paper is here. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.