The Dangers of Improper Cookie Use 191
shifted89 writes "Over the last year, the security community have exposed web application security for what it is — extremely lacking. However, for all the focus on XSS, CSRF, history stealing, etc., not much attention has been given to the cookie. Unfortunately, cookie misuse can be just as dangerous, if not more so than XSS attacks and InformIT illustrates why. In short, the author clearly demonstrates what can happen when a website improperly uses cookies for customer tracking — including a working illustration."
practical, perhaps? (Score:5, Insightful)
Oh well, I guess this is just another lesson in how marketers will shoot themselves in the foot. Animated gifs are abused, so i turn animation off. Cookies are abused, so i reject any cookie that is not obviously necessary. Flash is useful, but no way to request that it does not start automatically, so either I don't install it or install a hack to block it. I don't even see the product that is being advertised.
I hope this gets everyone off thier high horse, and realize that third party cookies should be rejected on all machines by default. What I really wish existed was a screen that popped up every time you went to a new site that informed the user of the site, and asked for a cookie preference for that site. That way, all cookies could be accepted at the corporate site, and no cookies might be accepted at google.
Re:Obligatory (Score:3, Insightful)
My problem is that I missed the Anonymous Coward Check box, and now, my karma has taken a hit. Sigh.
Oh well. Live and learn
How old is this article? (Score:5, Insightful)
It says "updated Dec 15, 2006" but the comments at the end of the article are all dated from 2004. I mean, the problem is much older than that, but it seems the article was just updated with 2006 dates to make it seem more current. Or am I missing something?
Cookie on cookie misuse link (Score:4, Insightful)
Other things they do is prohibit tabbed browsing by using javascript to open an image from a thumbnail to a new window. Can someone please send these guys to a usability crash-course?
I love the start of this article (Score:3, Insightful)
Re:cookies passed as plaintext (Score:5, Insightful)
There was a merchant site that I visited quite some time ago that did something like this. Except they screwed it up and, along with putting the session ID in the URL, they "automatically" tied the session id with account information. The effect this had was that anyone who visited a copied URL would pull up the account information of the person who had spread the URL around.
It took some time to figure it out. The URL was posted on a fairly busy forum, and it was a fairly fast selling item, and 50+ people had used the link to try and make a purchase.. and every time someone checked out, the account was updated with their information.
I'm not sure what the lesson here is, other than the fact that any "safe practice" can become insecure in the hands of idiots. Cookies aren't an inherently stupid idea, but the ease of using them invites a lot of abuses.
Re:Cookies? Javascript? Etc? (Score:5, Insightful)
Hmm. Animated GIFs? Check. Blink? Check. Scrolling status bar? Check. Background MIDI files? Check. Pop-ups? Check. Flash ads with full video and sound? Check. Garish color schemes? Double-check.
I think you're on to something!
Re:Obligatory (Score:4, Insightful)
No need to beat a man while he's down.
Re:Cookie on cookie misuse link (Score:2, Insightful)
this is not possible with javascript 'links' which may or may not do things as you would expect and certainly destroy any usage patterns you have achieved and do so without a valid reason.
Re:Cookies? Javascript? Etc? (Score:4, Insightful)
Re:cookies passed as plaintext (Score:4, Insightful)
How does that do anything for the example given? If someone uses a sniffer at a wireless access point with NAT, they have access to the same IP as their victim.
Firefox could do better (Score:3, Insightful)
For example, just look at their cookie management under "privacy". Sure, they have white and blacklists for cookies, and that's fine. But bring up your cookie list - the *ONLY* option you have for each cookie is to delete.
Why isn't there are "delete and block" button? It would be SO SIMPLE to add this function, and make the management of cookies so much simpler for the 95% of web users like me who want to accept *most* cookies, and only block obvious cross-site tracking cookies.
The task of copying cookies from one list to another is very tedious. This sort of thing should be able to be automatic.
Re:Cookie on cookie misuse link (Score:5, Insightful)
The correct way is - and always has been - to leave that to the user. Useability studies have shown time and again that new windows popping open unannounced are unwelcome, even frightening to many computer users. And the quickest way to piss off power users like me is to presume to know better than I how your site should be displayed.
This behaviour is another legacy of assuming that the entire world browses with certain versions of MSIE. The only reasonable way in that browser to keep track of multiple sites was to open links in new windows. But even then, such presumption was unwelcome to most people, even many IE users.
The only remaining (valid) use of the target attribute is in a frameset, and that monstrousity is not needed any more, what with the moderately decent CSS positioning support that is present in all modern browsers.
Re:Firefox could do better (Score:3, Insightful)