Vulnerability Note VU#804060
Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information
RFC 6265 (previously RFC 2965) established HTTP State Management, also known as "cookies". In most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information.
HTTP cookies have long been known to lead to potential security issues when managing HTTP state. For example, in RFC 6265, Section 8.6:
Cookies do not provide integrity guarantees for sibling domains (and their subdomains). For example, consider foo.example.com and bar.example.com. The foo.example.com server can set a cookie with a Domain attribute of "example.com" (possibly overwriting an existing "example.com" cookie set by bar.example.com), and the user agent will include that cookie in HTTP requests to bar.example.com. In the worst case, bar.example.com will be unable to distinguish this cookie from a cookie it set itself. The foo.example.com server might be able to leverage this ability to mount an attack against bar.example.com.
A remote attacker may be able to obtain private information from a victim's HTTPS session.
A complete solution may include future updates to RFC 6265 and/or RFC 6454 to enable safer handling of cookies via an updated same origin policy for cookies.
Deploy HSTS on top-level domain
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple||Affected||19 May 2015||28 Oct 2015|
|Affected||19 May 2015||31 Aug 2015|
|Microsoft Corporation||Affected||19 May 2015||16 Sep 2015|
|Mozilla||Affected||19 May 2015||31 Aug 2015|
|Opera||Affected||19 May 2015||16 Sep 2015|
|Vivaldi||Affected||17 Aug 2015||16 Sep 2015|
CVSS Metrics (Learn More)
Thanks to Jian Jiang, Nicholas Weaver, et. al., for disclosing this vulnerability at USENIX Security 2015.
This document was written by Garret Wassermann.
- CVE IDs: Unknown
- Date Public: 13 Aug 2015
- Date First Published: 24 Sep 2015
- Date Last Updated: 28 Oct 2015
- Document Revision: 87
If you have feedback, comments, or additional information about this vulnerability, please send us email.