Cookies can bypass HTTPS in web browsers

By on
Cookies can bypass HTTPS in web browsers

Fundamental flaw in state management feature could bust open secured web browsing.

The US Computer Emergency Response Team (CERT) has issued a vulnerability note warning that cookies in web browsers could allow remote attackers to bypass secured sessions and reveal private information.

Cookies are small text files with data sent to web browsers that servers and applications use to keep track on what users do during their sessions.

They have long been thought to contain potential security issues, as the RFC 6265 specification does not give mechanisms for isolation and integrity guarantees, CERT said its 804060 notice.

A group of researchers from the University of California, Tsinghua University, Huawei and Microsoft found that thanks to the lack of integrity guarantees, an attacker with a man in the middle position on a plain-text HTTP browsing session could inject cookies that will be used for secure HTTPS encrypted sessions.

This, the researchers wrote in the Cookies Lack Integrity: Real-World Implications paper [pdf], can be achieved even if the "secure" flag is set to the state-management feature, indicating the files should only be sent over an HTTPS connection.

Cookie attacks can be performed with most modern web browsers such as Apple Safari, Google Chrome, Mozilla Firefox and Microsoft Internet Explorer.

"We found cookie injection attacks are possible with very large websites and popular open source applications including Google, Amazon, eBay, Apple, Bank of America, BitBucket, China Construction Bank, China UnionPay,, phpMyAdmin, and MediaWiki, among others," the researchers wrote.

Several types of attacks are possible with cookie injection, they said, including cross-site scripting, leaking of private data, cross-site request forgery (CSRF), fraud and theft of user account details.

To demonstrate the vulnerability, the researchers devised two exploits against Google, hijacking the Gmail chat gadget, and invisibly stealing a user's search history.

This was possible because the base domain is not fully protected by HTTP strict transport security (HSTS), which allows a server to tell a client to only ever communicate over HTTPS.

The researchers also found a corner case affecting shared domains used by content delivery networks such as Cloudflare, CacheFly and Microsoft's Azure that permitted cookie injection attacks.

Mitigation measures against cookie injection attacks include full HSTS protection, a public suffix list of top-level and shared domains, defensive cookie practises such as frequently invalidating them, and anomaly detection to ensure the state-management settings are valid.

HSTS is however, problematic - Google, for instance, cannot fully deploy the security measure because it is required to support non-HTTPS access for mandatory adult content filtering in schools and other locations.

Social networks Facebook and Twitter cannot support HSTS fully either on all subdomains, and the researchers suggested a number of workarounds to prevent cookies being replaced or inserted secretly.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?