Browsers Vendors Implemented 'Cookies' the Wrong Way, Expose Users to MitM Attacks

[Karamjit]

Updating to the most recent browser versions is a must

CERT (Computer Emergency Response Team) revealed that all browser makers have misinterpreted and improperly implemented the RFC 6265 standard responsible for detailing how HTTP State Management should work.

If we bored you by going to technical all of a sudden, the RFC 6265 standard is usually referred by most computer geeks and programmers as "browser cookies," and is an integral part of how the Web works, allowing websites to send and retrieve data from a user's browser.

According to CERT's announcement, "in most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information."

This is because cookies do not provide any integrity guarantees for subdomains, nor do they provide isolation by port.

These two details, when put together, can spell disaster for website owners, which if they set a cookie via HTTP (port 80) on foo.example.com, nothing will guarantee that the cookie won't be hijacked and used for intercepting HTTPS (port 443) on example.com.

Because browsers don't check how a secure flag is set in HTTPS cookies, attackers could easily intercept a regular HTTP cookie from one of the unprotected subdomains, add a secure flag, and then use it to override the main HTTPS cookie, being later able to intercept information about private sessions.

Browser vendors have already patched their products

For users that want to protect themselves from this kind of cookie injection MitM (Man-in-the-Middle) attacks, they've should upgrade to the most recent version of their browser.

CERT has notified all browser makers since May, which now fixed this issue through updates launched between August 31 and September 16. All browsers were affected (Firefox, Safari, Chrome, Vivaldi, Opera, Edge, IE).

If you don't want to update (which is weird and no recommended), users could also block cookies in their browsers.

For webmasters, CERT recommends they deploy HSTS (HTTP Strict Transport Security) on their top-level domain.

From