1 min read

Chrome, Firefox Vulnerable to Cookie Injection Attacks, CERT Warns

Alexandra GHEORGHE

September 25, 2015

Chrome, Firefox Vulnerable to Cookie Injection Attacks, CERT Warns

Browser cookies can be used to bypass HTTPS connections and facilitate man-in-the-middle attacks, according to a CERT advisory.

“Attackers who act as a man-in-the-middle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections,” the note says.

Modern browsers including Apple’s Safari, Mozilla’s Firefox and Google’s Chrome apparently have a faulty implementation that leaves them vulnerable to cookie injection attacks. Although cookies can contain a ‘secure flag’ that limits their use to HTTPS connections, outdated browsers don’t check the source of an HTTPS cookie.

This means man-in-the-middle attackers could set an HTTPS cookie masquerading as another site: “an attacker may set cookies for example.com and override the real cookie for www.example.com.”

Fake cookies set in this way can facilitate the disclosure of any private data being transmitted in the session.
We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari),” CERT says.

Site owners are advised to enable HSTS (HTTP strict transport security) with the included Subdomains option. This partially mitigates the attacker’s ability to set top-level cookies that may override subdomain cookies.

The latest versions of the mentioned browsers are not affected, so it’s best to update your browser.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks FBI Warns that Tokyo 2020 Summer Olympics Is Prime Target for Cyberattacks
Silviu STAHIE

July 27, 2021

1 min read
Patch your iPhones and Macs against "actively exploited" zero-day right now Patch your iPhones and Macs against "actively exploited" zero-day right now
Graham CLULEY

July 27, 2021

2 min read
Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read