Concerns in this area are also not exactly new. For example: in 2011, the European Union approved the Cookie Law: even though some people were a bit disappointed after discovering it would not make access to delicious chocolate cookies a fundamental human right, this new regulation was another important step towards protecting personal data and guaranteeing the right to privacy. It basically states that websites need to seek consent before exposing you to cookies.
Simply put, cookies are an important tool on the internet and have the potential to give businesses a great deal of insight into their users’ online activity. Far beyond the privacy-related issues, there are many ways that unprotected cookies can be manipulated and expose both users and organizations to severe security incidents.
What are cookies and how do they work?
Cookies are small text files that websites place on your devices as you are browsing. In fact, the cookies themselves are quite harmless; they are processed and stored by your web browser and are fundamental to some functions on websites, such as the aforementioned shopping carts.
Cookie usage is very simple to describe. When you visit a website, your browser sends a request; the website replies with the requested information and a cookie that is stored in your browser. Whenever you send another request to the same site, your browser also sends the cookie, so you can be easily identified. This can be used in functions such as selecting a language on a multilingual website, keeping your user authenticated or tracking your actions. In fact, it’s quite possible that there are literally thousands of cookies stored in your browser right now.
There are three basic types of cookies, and each has a specific purpose:
- Session cookies: These are temporary cookies. They should only be valid for a single session and disappear once you close your browser, as they are usually kept in active memory. This is the most common type of cookie. Basically, they tell the server that all your requests (within a period of time) came from the same source and should be treated as a single session.
- Permanent cookies: This type of cookie is used to identify you for a longer period, over multiple different sessions. It is also known as a persistent cookie. These cookies are stored in your hard drive and will not be deleted automatically.
Permanent cookies have two basic functions: Authentication and Tracking. For example, each time you activate a “remember me” or “keep me logged in” on a website, you are using a permanent cookie for authentication purposes.
Now for the tracking part. Most of the time they are automatically activated, and unless the website provides you with an alert or gives the option to disable unnecessary cookies, this can be done without you even knowing it.
- First-party and third-party cookies: Some cookies are created by the website you are visiting. For example, most session cookies are first-party cookies. But there is also the case of cookies being created by a website you are not even visiting: these are third-party cookies, also known as marketing or advertising cookies, and are used for tracking a user and gathering information over different websites.
As third-party cookies gather more and more information, they are used to provide a “personalized experience.” For most cases, this means you will be receiving custom ads based on information such as previous queries, behaviors, geographic location, interests and more.
So, if temporary cookies vanish automatically and persistent cookies usually can be easily viewed and deleted, then what’s the fuss about? Well, for starters, third-party cookies can represent a severe risk to privacy, but that’s not the only problem. There are several types of frauds and cyberattacks based on exploiting cookies vulnerabilities, and that may lead to severe security incidents.
It’s not like you can get a virus from a cookie; after all, they are just simple text files and do not contain any sort of executable. Yet, depending on how cookies are used and exposed, they can represent a serious security risk.
For instance, cookies can be hijacked. As most websites utilize cookies as the only identifiers for user sessions, if a cookie is hijacked, an attacker could be able to impersonate a user and gain unauthorized access.
This may happen in several different ways:
- Capturing cookies over insecure channels: Any cookie related to authentication should always be transmitted securely, but that is not always the case. One example is cookies without a security flag. When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. If the secure flag is not set, a cookie can be transmitted in cleartext — for instance, if the user visits any HTTP URLs within the cookie’s scope. This would allow an attacker eavesdropping network traffic to easily capture the cookie and use it to gain illegitimate access.
- Session fixation: This is another attack that allows an attacker to hijack a valid user session. This time, it exploits a limitation in the way the web application manages the session ID. For example, if an application allows a session token in the query parameters, an attacker may send a user an URL with a specific session ID included in its arguments. Now, when the user authenticates by using this URL, the attacker can hijack the session.
- Cross-site request forgery (CSRF): This is a type of attack that exploits a website by making it execute unauthorized commands that are transmitted from a user that the web application trusts.
In a CSRF attack, the attacker’s objective is to use an innocent victim to unknowingly submit a maliciously crafted web request to a website that the victim has privileged access to. Since the victim is already logged, any request coming from his browser will be deemed as trustworthy and be executed.
For an CSRF attack to work, an attacker must first identify a reproducible web request that executes a specific action — for example, changing a password on the target page. Once such a request is identified, a link can be created that generates this malicious request and that link can be embedded on a page within the attacker’s control. Even worse, it may not even be necessary for the victim to click the link. For instance, it may be embedded within an html image tag on an email sent to the victim, which will automatically be loaded when the victim opens their email.
- Cookie tossing: A cookie tossing attack is based on providing a user with a malicious cookie that has been designed to look like it came from the targeted site’s subdomain. Of course, this becomes especially problematic when a website allows untrusted people to host subdomains under its domain. When the user visits the target site, all cookies are sent, both valid and the ones appearing to be from subdomains.
In this attack, the ability to take over a session is quite limited, because the attacker can only write information, not read anything. However, cookie tossing can be used to set arbitrary cookie values that, in some cases, can be used for a CSRF attack or an XSS injection, depending on what the main domain does with the content of the cookie.
Cookies may also represent a severe risk to privacy. Their usage in tracking users evolved significantly throughout the years, from simple operations such as counting ad impressions, views and clicks, to limiting popups and preserving ad sequence, marketing cookies are now able to perform user profiling/website preference tracking. With most of the largest websites using large-scale third-party ad serving networks such as Google’s Adsense/Adwords, this attracted a lot of controversy and concern amongst online consumer privacy groups, to the point of specific regulations being developed to prevent abuse.
So: is it safe to enable cookies? In short, yes, of course it can be! Of course, cookies carry several security and privacy risks, but they can also be very useful and provide essential functions to most current websites. Therefore, completely disabling cookies is not a feasible approach.
The focus should be on making sure that cookies are used in a secure way. There are many simple steps a developer can take to mitigate vulnerabilities — for example, enabling the HTTPOnly flag when generating a cookie helps mitigate the risk of client-side script accessing the protected cookie. Similarly, the Secure Cookie flag prevents the cookie from being sent over an unencrypted HTTP request, eliminating the possibility of it being observed by unauthorized parties due to the transmission of the cookie in cleartext.
There are also basic steps a user can take to avoid cookie-related security risks. For instance, it is essential to keep your browser updated. Also, most modern browsers allow you to easily delete or even block cookies. If you are not satisfied, there are a number of browser plugins/extensions to manage or even auto-delete cookies. This can also be applied to privacy-related problems, as it makes it easier to block those nasty advertising cookies.
It is just as an old Oracle used to say:
“Here, take a cookie. I promise, by the time you’re done eating it, you’ll feel right as rain.”
- Session fixation, OWASP
- Secure Cookie Flag, OWASP
- Are You Using Cookies? Then This Ultimate Guide Is For You, HTML.com
- What are cookies?, Internet Cookies