Bugtraq mailing list archives
Re: Evil Cookies.
From: reinke () E-SOFTINC COM (Thomas Reinke)
Date: Sat, 5 Feb 2000 00:58:47 -0500
I believe that Netcsape may have had to break their own spec here. Consider a valid domain such as "tdbank.ca" (a Financial Institution in Canada). They have a top level domain that is not in the list allowing 2 periods. If Netscape enforced the spec, web sites in this domain (e.g. www.tdbank.ca) would never be able to set cookies to all hosts in that domain (e.g. www.tdbank.ca, secure.tdbank.ca). I suspect Netscape will probably allow any domain with 2 dots in it (.anydomain.tld) So, as a result, in areas where the domain hierarchy runs a bit deeper (.com.uk, .com.au) it would be possible for a site to set a cookie that then was sent to every other site in that same hierarchy. There is no easy patch to this problem. The only solution I can think of, which is not an easy one, would be to have browsers have intimate knowledge of what constitutes an organization's "domain of influence", and limit cookies accordingly. This is essentially impossible to implement. (Consider domain.city.state.country - where is the allowable domain of influence here? Probably 4 levels deep, but how to indicate this to the browser). I don't think that this makes data collection any easier - but it DOES make data dissemination easier. It's a no-win for the marketing folks, because they want to collect as much data as possible, and give out as little as possible except to those who pay for it. In this case, this capability simply makes it easier for a marketing company to set a cookie that gets sent to all web sites. Big deal - either they end up giving away their information for free (don't bet on it), or they put very little into the cookie that is of any value to begin with. Unless someone can think of some sinister twist to which this capability can be put to use? Cheers, Thomas Iain Wade wrote:
Hello, I have an evil cookie observation I'd like to share: While developing some CGI stuff, I noticed that my browser was sending a cookie which didn't make sense since I had control of that domain and I hadn't issues any cookies .. the name "CyberTargetAnonymous" didn't fill me with confidence either. After refreshing my knowledge of cookies at netscapes developer site below I noticed something strange: http://developer.netscape.com:80/docs/manuals/communicator/jsguide4/cookies.htm In the section "Determining a valid domain" is this little gem: <quote> If the domain attribute matches the end of the fully qualified domain name of the host, then path matching is performed to determine if the cookie should be sent. For example, a domain attribute of royalairways.com matches hostnames anvil.royalairways.com and ship.crate.royalairways.com. Only hosts within the specified domain can set a cookie for a domain. In addition, domain names must use at least two or three periods. Any domain in the COM, EDU, NET, ORG, GOV, MIL, and INT categories requires only two periods; all other domains require at least three periods. </quote> So my questions are these: a) Why would Netscape Communicator 4.7 accept a cookie like this (invalid -- only two periods): .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous NMN000CDCF833FA08963E9BDBC6CAA59301 b) How can this be used by some mass marketing company to turn me into a number in their systems for sale to the highest bidder? Just because you're paranoid doesn't mean they're not all out to get you. -- Iain Wade
-- ------------------------------------------------------------ Thomas Reinke Tel: (905) 331-2260 Director of Technology Fax: (905) 331-2504 E-Soft Inc. http://www.e-softinc.com
Current thread:
- Re: Tempfile vulnerabilities, (continued)
- Re: Tempfile vulnerabilities Theo de Raadt (Feb 01)
- Microsoft Security Bulletin (MS00-007) Aleph One (Feb 01)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Theo de Raadt (Feb 02)
- Evil Cookies. Iain Wade (Feb 02)
- UPDATE: Sygate 3.11 Port 7323 Telnet Hole jalerta () nestworks com (Feb 03)
- Re: Evil Cookies. Joachim Feise (Feb 03)
- Re: Evil Cookies. Jon Paul, Nollmann (Feb 05)
- Reminder: BOF on Distributed DoS, San Jose 2/7/00 David Kennedy CISSP (Feb 06)
- Infosec.20000207.axis700.a Vitek, Ian (Feb 07)
- Re: Evil Cookies. Thomas Reinke (Feb 04)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 15)
- Re: Packet Tracing (linux klog patch) Dragos Ruiu (Feb 17)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 17)