5 min read

Identifying and authenticating users on the web is a cakewalk, thanks to the use of HTTP cookies. They allow website developers to store user’s website preferences or authentication tokens in the browsers. On the other hand, users can remain logged into a website without the need to re-enter their credentials again and again. Win-Win situation for everybody, right?

Hold your horses. Due to the ever-evolving web, the way these cookies are implemented leave some space for hackers to perform intrusive attacks. Exploiting this domain, researchers at Belgium’s Catholic University in Leuven bagged the Distinguished Paper prize this year at the Usenix Security Conference for their award-winning presentation on, “Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies”.

How did the team discover these web security loopholes?

The authors managed to reveal an array of surprisingly devastating and never-seen-before tracking techniques. These techniques were to identify web-users who were using privacy tools that were supplied by browser-vendors and also third-party tracking-blocking tools.

They tested a total of 7 browsers and 46 browser extensions. The tracking techniques used  Appcache API; “lesser-known HTML tags”; the Location response-header; various <meta> redirects; Javascript in PDF tables, Javascript’s location.href property; and various service workers to track users across various sites.

These techniques managed to bypass the privacy protection settings of the stock browser privacy protections. Apart from that, they also managed to fiddle with the latest privacy settings of Firefox. The techniques were advanced enough to work against popular cookie-blocking/ad-blocking/script-blocking browser extensions.

Thankfully, there are no real-world concerns about these techniques being exploited. The researchers tipped off the browser vendors before they went public. This should stand as a lesson for browsers to be better equipped to defend against these tactics.  But until then, we’re all vulnerable to websites using these tactics to track virtually everywhere!

Here is a snapshot of the results that the team came across:

Source: wholeftopenthecookiejar.eu

Exploits and their Countermeasures as explored by the Researchers

The team has not only come up with a list of 10 exploits but also have suggested measures to combat them.

Here is the list, in brief, to give you a short gist-

#1 Bypasses for the Opera AdBlocker discovered

While the built-in ad blocker is enabled, the team discovered that requests to cross-site blacklisted domains can still be sent using various mechanisms in Opera.

#2 Various bypasses discovered for the same-site cookie policy in Edge

The same-site cookie policy implemented by Edge can be bypassed in multiple ways.

#3 The option to block third-party cookies in Safari 10 does not exclude cookies set in the first-party context from future cross-site requests

In Safari 10 when users enable “allow cookies from the current website only”, cookies that are set in a first-party context are still included in cross-site requests. Safari blocks only the setting of cookies and not the sending of cookies.

#4 Enabling the option to block third-party cookies in Edge has no effect

Even when users enable the option to block third-party cookies in Edge, they are still included in all requests.

#5 The option to block third-party cookies can be bypassed in Chromium through PDF files

JavaScript embedded in PDF files can be used to send GET or POST requests to a cross-site domain. In Chromium, this bypasses the option to block third-party cookies. Affected Browsers are Chrome and Opera.

#6 Cross-site requests initiated by PDF files bypass the WebExtentension API provided by Chromium

Researchers found that extensions such as ad blockers or privacy extensions cannot intercept requests initiated by PDF files that are opened in Chrome or Opera through the WebExtension API.

#7 Bypasses for the Firefox Tracking Protection discovered

Firefox Tracking Protection can be bypassed easily by various mechanisms. Cross-site requests directed at blacklisted domains can be sent while this counter measurement is enabled.

#8 Requests initiated by the AppCache API are not easily distinguished from requests initiated by browser background processes.

Once again, in the Firefox browser, It is posing to be a difficult task for extension developers to distinguish requests initiated by the browsers background processes from requests initiated by websites.

#9 Requests to fetch the favicon are not interceptable by Firefox extensions

Looks like Firefox had a lot to fix in its extensions, as they were not able to intercept (cross-site) requests to fetch the favicon through the WebExtension API. But this stands fixed right on time.

#10 Same-site cookie policy bypass discovered in Chromium

Prerender functionality can be leveraged to initiate cross-site requests. This can be done including same-site cookies assigned the value strict. This bug was not detected anymore for multiple versions starting from Chrome 62, however, the bug returned in Chrome 66, 67 and 68.

You can read the entire catalog to understand how your cookies are at stake (pun intended). The browser vendors have been made aware of these bugs and solutions have been proposed to rectify browser API’s and tools to deal with these exploits.
Along with the aforementioned reports, wholeftopenthecookiejar.eu includes a breakdown of every test that researchers carried out against each of the 7 browsers, 46 extensions, and what version.

You can read the paper presented by Gertjan Franken, Tom Van Goethem and Wouter Joosen for an inside view of why they won the award and we are sure you will agree with the same!

Read Next

10 great tools to stay completely anonymous online

Mozilla’s new Firefox DNS security updates spark privacy hue and cry

Top 5 cybersecurity trends you should be aware of in 2018

LEAVE A REPLY

Please enter your comment!
Please enter your name here