Browser cookies can be used to bypass HTTPS connections and facilitate man-in-the-middle attacks, according to a CERT advisory.
“Attackers who act as a man-in-the-middle even temporarily on an HTTP session can inject cookies which will be attached to subsequent HTTPS connections,” the note says.
Modern browsers including Apple’s Safari, Mozilla’s Firefox and Google’s Chrome apparently have a faulty implementation that leaves them vulnerable to cookie injection attacks. Although cookies can contain a ‘secure flag’ that limits their use to HTTPS connections, outdated browsers don’t check the source of an HTTPS cookie.
This means man-in-the-middle attackers could set an HTTPS cookie masquerading as another site: “an attacker may set cookies for example.com and override the real cookie for www.example.com.”
Fake cookies set in this way can facilitate the disclosure of any private data being transmitted in the session.
We find that cookie-related vulnerabilities are present in important sites (such as Google and Bank of America), and can be made worse by the implementation weaknesses we discovered in major web browsers (such as Chrome, Firefox, and Safari),” CERT says.
Site owners are advised to enable HSTS (HTTP strict transport security) with the included Subdomains option. This partially mitigates the attacker’s ability to set top-level cookies that may override subdomain cookies.
The latest versions of the mentioned browsers are not affected, so it’s best to update your browser.