Network Security, Vulnerability Management

Browser cookie handling could widen web attack space

A web security researcher has revealed a major new threat to most websites due to the contradictory way that cookies and the domain name system (DNS) act.

Mike Bailey, a senior web security researcher at Foreground Security, released a paper this week demonstrating something most corporations didn't think could happen: A vulnerability on one of their website subdomains can be used to attack their main production domain, which often contains the data that criminals seek to steal.

Most webmasters operate under a false assumption that because of the way DNS is hierarchically structured and segmented, an exploit on a subdomain (for instance, mail.google.com) cannot impact the principal domain (google.com), Bailey told SCMagazineUS.com on Wednesday. But the way that browsers handle cookies makes this possible because cookies are designed so that subdomains can set and customize them for the main domain.

All an attacker would need to do is locate a vulnerability on a subdomain, such as a cross-site scripting or cross-site request forgery flaw, which is quite possible given that most of those pages lack security, Bailey said.

"If I can find a vulnerability on any subdomain, I can leverage that vulnerability against the entire domain name space," he said. "It allows you to affect the way the browser treats [a user's] logged-in session. If I was Amazon, for example, I could put items in your shopping cart, change your password, change your session...because that's all stored in the cookie."

In a paper he published this week, Bailey offered proof-of-concept examples for Google, Expedia and Chase Manhattan Bank. What makes this attack particularly troubling is that in many cases, the companies set up these subdomains for third parties over which they have no security control.

"It's an arcane, difficult exploit to explain," Mike Murray, CISO at Foreground, told SCMagazineUS.com on Wednesday. "But what it comes down to is that every subdomain has as much power to exploit your users as your main domain does. That's a game-changer in a lot of ways for large organizations."

As a result, the two researchers suggest that corporations apply the same level of security to their subdomains as they do their parent domains.

"It's not just 'check the vulnerabilities on the important stuff,'" Murray said. "It's 'check the vulnerabilities on everything that is public facing.' It lowers the ante for the attacker. In the old days, we'd think that if the main site was secure, everything was fine. Now the attacker can go through the side doors."

For a permanent fix, the major browser providers must fundamentally change the way cookies operate, Bailey said.

He added that he is not aware of any in-the-wild exploits that have taken advantage of the problem, but said organizations shouldn't wait to react.

"I do know the attackers know about this issue because I've talked to some of them," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.