1 min read

Chrome, Firefox Vulnerable to Cookie Injection Attacks, CERT Warns

Alexandra GHEORGHE

September 25, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Chrome, Firefox Vulnerable to Cookie Injection Attacks, CERT Warns

Browser cookies can be used to bypass HTTPS connections and facilitate man-in-the-middle attacks, according to a CERT advisory.

“Attackers who act as a man-in-the-middle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections,” the note says.

Modern browsers including Apple’s Safari, Mozilla’s Firefox and Google’s Chrome apparently have a faulty implementation that leaves them vulnerable to cookie injection attacks. Although cookies can contain a ‘secure flag’ that limits their use to HTTPS connections, outdated browsers don’t check the source of an HTTPS cookie.

This means man-in-the-middle attackers could set an HTTPS cookie masquerading as another site: “an attacker may set cookies for example.com and override the real cookie for www.example.com.”

Fake cookies set in this way can facilitate the disclosure of any private data being transmitted in the session.
We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari),” CERT says.

Site owners are advised to enable HSTS (HTTP strict transport security) with the included Subdomains option. This partially mitigates the attacker’s ability to set top-level cookies that may override subdomain cookies.

The latest versions of the mentioned browsers are not affected, so it’s best to update your browser.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read