Man-in-the-middle attacks are nothing new. But when that man-in-the-middle attack includes cookie injections, things get messy. Security researcher Xiaofeng Zheng published a PDF describing the methods used to make such an attack work in August.
In the PDF, Zheng detailed the lack of security around cookies. “The same-origin policy is a corner stone of Web security, guarding the Web content of one domain from the access from another domain. The most standard definition of ‘origin’ is a 3-tuple, consisting of the scheme, the domain and the port number. However, the notion of ‘origin’ regarding cookies is fairly unusual—cookies are not separated between different schemes like HTTP and HTTPS, as well as port. The domain isolation of [the] cookie is also weak: Different but related domains can have a shared cookie scope. A cookie may have a ‘secure’ flag, indicating that it should only be presented over HTTPS, ensuring confidentiality of its value against a network man-in-the-middle.”
(Related: Stop fighting yesterday’s security wars)
Unfortunately, this security measure is easily circumvented, wrote Zheng. “There is no similar measure to protect its integrity from the same adversary: An HTTP response is allowed to set a secure cookie for its domain. An adversary controlling a related domain is also capable to disrupt a cookie’s integrity by making use of the shared cookie scope. Even worse, there is an asymmetry between [the] cookie’s read and write operations involving pathing, enabling more subtle form of cookie integrity violation.”
CERT has issued an advisory for these attacks, and has revealed that all major browsers are vulnerable to them.