Cookie Holes Expose Browsers

According to one researcher, weaknesses in the way most browsers handle cookies could leave many Web sites vulnerable to outside attack.

Security researcher Michal Zalewski has identified an issue related to the manner in which most Web browsers process so-called cookies that he contends may leave many Web sites open to malicious attacks.

Zalewski, best known as the author of security tome "Silence on the Wire," has labeled his discovery "cross-site cooking" and claims that the problem is based on some of the primary design elements used to create and employ HTTP cookies.

Cookies are pieces of text-only string code entered into a browsers memory by a Web site, used in many cases to allow the applications to retain user data such as personal identification and password information.

According to Zalewski, who is currently based in Poland but worked previously for security firm BindView, three separate flaws related to cookie generation and retention make it "alarmingly easy" for malicious sites to load spoofed information onto the browsers of unsuspecting users via legitimate third-party Web servers.

On a post to the BugTraq mailing list for security researchers, Zalewski outlined the cookie problems and also indicated his belief that the issues were reported publicly as long ago as 1998, while noting that apparently nothing has been to remedy the situation.

"There is no immediate universal threat to life as we know it, but numerous Web scripts are an easy target of specific variants of the attacks," Zalewski wrote.

"On sites where authentication data is tied on a server to a session ID, the attacker may be able to acquire credentials by tricking the visitor to authenticate within a session initiated by the attacker."

Specifically, the researcher said one of the issues is tied to the process through which cookies are issued by sites, which was originally designed to help browsers reject cookies that are set up for Web domains that may be defined too broadly, or which do not match the location of the site generating the data.

Typically, when a new cookie is issued to a browser, the Web server processing the information specifies the domain and location with which the cookies data is associated.

Zalewski said the mechanism used to prevent people from creating cookies with "overly relaxed domain specification" appears to be broken in all the major commercial Web browsers.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

While the rule in question specifies that a particular number of periods, or dots, must be used in the top-level domain names of most Web site addresses to prevent subdomain names from being changed to something different, the researcher said this feature can be easily bypassed in browsers such as Microsofts Internet Explorer and Mozilla Foundations Firefox.

Representatives from Microsoft and Mozilla didnt immediately return calls seeking comment on Zalewskis findings.

Once bypassed, Zalewski said, the cookie identification flaw could be used to "override or corrupt credentials or other parameters on hundreds of thousands of e-commerce Web sites," potentially allowing someone to remotely plant user information on another persons computer and steal credentials when that person logs onto a site. Sites bearing international domain names may be at even greater risk for attack, Zalewski said.

Zalewski said the only way to solve the issue may be to make changes to the basic format used to create HTTP cookies, but he advised that browsers may be protected against such attacks if they are programmed to recognize top-level domains that could be targeted by such activity.

Another related cookie issue highlighted in the posting was the finding that some browsers, including Explorer and Firefox, do not actively scan to see if additional information has been placed between the periods used in the domain name listed by a particular cookie.

/zimages/6/28571.gifMozilla downplays an exploit found in Firefox 1.5. Click here to read more.

This problem could allow someone to unwittingly redirect a user to a different site, Zalewski said, potentially one that has been spoofed to appear just like the Web page the user believed he or she was requesting.

The second cookie issue he mentioned was a problem specifically documented for browser makers as far back as 1998 by another researcher named Benjamin Franz, Zalewski said.

The third flaw Zalewski reported involves a method which could be used by an attacker to force site visitors to unwittingly accept and relay cookies to a third-party site.

While it is believed that this would not compromise peoples settings the next time they visited the site that held the affected cookie, Zalewski said the method could be used immediately to change a users identity and attack the site in question.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.