Cookies Lack Integrity: Real-World Implications

TitleCookies Lack Integrity: Real-World Implications
Publication TypeConference Paper
Year of Publication2015
AuthorsZheng, X., Jiang J., Liang J., Duan H., Chen S.., Wan T., & Weaver N.
Page(s)707-721
Other Numbers3814
Abstract

A cookie can contain a “secure” flag, indicating that it should be only sent over an HTTPS connection. Yet there is no corresponding flag to indicate how a cookie was set: attackers who act as a man-in-the-middle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections. Similar attacks can also be launched by a web attacker from a related domain. Although an acknowledged threat, it has not yet been studied thoroughly. This paper aims to fill this gap with an in-depth empirical assessment of cookie injection attacks. We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari). Our successful attacks have included privacy violation, online victimization, and even financial loss and account hijacking. We also discuss mitigation strategies such as HSTS, possible browser changes, and present a proof-of-concept browser extension to provide better cookie isolation between HTTP and HTTPS, and between related domains.

Acknowledgment

This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS : 1213157 (“User-Centric Network Measurement”) and CNS : 1237265 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"). Additional funding was provided by the National Natural Science Foundation of China (Grant No. 61472215) and Tsinghua National Laboratory for Information Science and Technology (TNList) Academic Exchange Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the NSF, the National Natural Science Foundation of China, or the TNList Academic Exchange Foundation.

URLhttp://www.icsi.berkeley.edu/pubs/networking/cookieslack15.pdf
Bibliographic Notes

Proceedings of the 24th USENIX Security Symposium, Washington, D.C., pp. 707-721

Abbreviated Authors

X. Zheng, J. Jiang, J. Liang, H. Duan, Shuo. Chen, T. Wan and N. Weaver

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings