Cookies, also known as “Web Cookies” or “HTTP Cookies”, are widely used across the Internet since their inception in 1994. They were invented by a 23-year-old computer programmer Lou Montulli in 1994 when he was working with Netscape. In this post, we will take a deep dive into the functioning of cookies, privacy concerns, security risks & compliances.
One key challenge of websites at the time was that they had limited memory. The challenge was, however, to remember a user visiting the website, remembering his preferences, and along with the better web experience, use it to show objects of interest. Cookies effectively solve the puzzle by offering users a superior browsing experience and providing websites a means to remember the visitors and their actions.
Today cookies help websites remember a user, login information, shopping carts, and a lot more. We can define cookies as follows:
What are Web Cookies?
Web Cookies are small messages transferred between your device and websites.When you browse another page from the website (Server), the browser sends the cookie back to the server. Cookies are used to collect information (e.g., session details, credentials, etc.) and data which the websites can use to track user preferences and actions.
Cookies are stored in a text file cookie.txt with one Cookie per line. Cookies are also called HTTP cookies, Web cookies, Internet cookies, or browser cookies.
Most modern websites place cookies on the browser or on the hard disk of the user’s device and assign them a unique ID to identify the device.
Who can access my Cookies?
Are Cookies risky?
While most cookies are assumed to be perfectly safe, some can track user details without warning or consent. Cybercriminals and threat actors can also sometimes gain access to legitimate cookies and abuse them to spy over their potential targets.
What are the types of Cookies?
1. HTTP-Only Cookies
2. Session Cookies
A session cookie is a cookie that stores your information temporarily and expires once you log off or close the browser. They are also known as non-persistent cookies, transient cookies, or temporary cookies. This cookie does not contain an expiration date.
Most E-commerce websites typically use session cookies for shopping carts. When you browse an E-commerce website, the cookie stores information about any products, you add to the shopping cart. If you browse through a different page within the website, the information is preserved. Without session cookies, you can not add multiple items to a shopping cart since the new page will not remember any previous activities, and your shopping cart will show as empty.
3. Persistent Cookies (Permanent Cookies)
A persistent cookie, also known as a permanent or stored cookie, will have an expiration date set by the website and does not expire on the closure of the browser. They are used to remember user sign-in credentials, preferences, information, or settings to improve the user experience adding convenience and speed. Once the expiration date is reached, the cookie is expired by the website.
Persistent cookies are used to track visitors as they browse through the website to understand what content people like and to help improve their experience. The most common example of a persistent cookie is the Google Analytics cookie.
4. Third-Party Cookies
Third-party cookies are the cookies used by a different domain than visited by the end-user. These cookies are typically used to identify and track users between websites and to display more relevant ads consistently. An example of this cookie will be a Facebook “like” button that stores a cookie on the end user’s device.
Another good example is that you suddenly see adverts showing you the best prices for booking on multiple different websites when you search for a flight and hotel booking. Yes, you guessed it right. That is what third-party cookies are used for.
5. Flash Cookies
Flash cookies, also known as Local Shared Objects (LSO), are the cookies stored by the popular browser plugin Adobe Flash on a user’s device. These cookies sometimes have similar information that HTTP cookies contain; however, they can also store information related to Flash objects like where the video stopped playing or a banner advertisement stopped rotating.
Flash cookies are typically incorporated in website advertisements and videos. These files have a .sol extension instead of the cookie extension. Flash cookies are unaffected when you delete your browser history or cookies and can be used to recreate deleted cookies. The process of recreation of cookies is called respawning and can significantly compromise user privacy.
6. Zombie Cookies
Zombie cookies, also known as Evercookies, are third-party cookies that hide outside the standard cookie storage, making them painfully persistent. Zoombie cookies are installed without end-user permission or approval and are automatically regenerated even when a user clears all cookies from their browser. Some Zombie cookies also work across browsers on the same device.
Creating a Zombie cookie is surprisingly easy, and the script called Evercookie can be downloaded from Github and can be used to build a Zombie cookie. In 2013 a top-secret NSA document was leaked by Edward Snowden, which mentioned Evercookie to track Tor users.
Similar to the other third-party cookies, Zombie cookies can be used by advertisers or web analytics companies to track user browsing histories. Sometimes Zombie cookies are also used by websites to blacklist specific users. They are also used in online games to prevent users from cheating.
7. Secure Cookies
Secure cookies have a secure attribute set that only allows them to be transmitted over a secure (HTTPS) channel. While it sounds like a good idea, the security is limited only to the cookie’s confidentiality. An attacker can overwrite Secure cookies from an insecure channel compromising their integrity.
Most modern browsers like Chrome and Firefox do not follow this specification for better security.
8. Same-site cookies
The same-site attribute restricts the browser from passing the cookies across websites. The objective of this attribute is to mitigate the risk of compromise or information leaks cross-site. It also adds some protection for Cross-Site Request Forgery Attacks (CSRFA). The flag can be set to “none”, “lax” or “strict”.
“None” value does not provide any protection, and the browser will attach the cookies in all cross-site browsing.
The “strict” value will restrict the cookie being sent by the browser to a target site in all cross-site browsing contexts.
The “lax” value will provide a reasonable balance between security and usability and will block it if the method is deemed risky.
It is also worth mentioning that Chrome now treats cookies that do not explicitly have the SameSite=None; Secure attribute as SameSite=Lax. This helps to limit them to first-party contexts.
Common attacks using Cookies
1. Mass Surveillance using Cookies
A passive network observer can leverage third-party HTTP tracking Zombie cookies for mass surveillance. Suppose any two web pages embed the same tracker, which emits a unique identifier. In that case, the threat actor can link the visits to web pages to the same user (browser instance) irrespective of the user’s IP address.
Yes, unfortunately, it is not only advertisers who are behind your browsing history. Leaked documents by Edward Snowden indicated that NSA is well aware of this method.
2. Cookie Hijacking attack
In Cookie Hijacking attack, a threat action can intercept the end-user communication using MITM (employing a compromised wifi access point or proxy). Using network trace, the adversary can easily extract unencrypted cookies. The attacker can then mimic the end-user while using the stolen cookie to trick the web server into offering the personalized version of the webpage or any services.
Cookie Hijacking is also known as Session Hijacking, Cookie Harvesting or Cookie Poisoning attack.
This attack requires an active cookie in the end-user system. Once the attacker has access to the stolen cookie, he can reuse the cookies until the expiration date is reached. An attacker can also create forged cookies from scratch to impersonate an end-user and access additional user information.
3. DOM-based Cookie manipulation attack
An attacker can manipulate vulnerable cookies using Cross-Site-Scripting (XSS) if a developed writes attacker-controllable data (Sinks) into the value of a cookie. For example, a source is the location.search property since it reads input from the query string. This is relatively simple for an adversary to control.
Any property that the attacker can control eventually is a potential source.
4. Cross-Site Tracing (CST) attack
In Cross-Site Tracing Attack, the attacker employs Cross-Site-Scripting (XSS) and the Trace or Track HTTP method. Using CST, an attacker can steal a user’s cookies via Cross-Site Scripting (XSS) despite the website having an “Httponly” flag set.
This attack method was discovered in 2003 by Jeremiah Grossman. One of the most common attacks in XSS is to access the document.cookie object and send it to a compromised web server, allowing the attacker to hijack Victim’s session.
5. Cross-Site Request Forgery (CSRF) attack
A Cross-Site Request Forgery attack exploits the website’s trust in a user. In a way, it is the exact opposite of Cross-site scripting, which exploits the user’s trust in the website. It is also known as One-Click attack or Session Riding.
6. Cookie Stuffing
Cookie Stuffing or Cookie Dropping is an affiliate marketing technique where a third-party cookie unrelated to the website is dropped into the user’s web browser without the user’s knowledge or consent. If the user later visits the target website and completes the transaction, Cookie Stuffer is paid a commission by the target.
Since the stuffer has not in any way encouraged the visitor to procure the product or services, this method is considered illegitimate by most affiliate schemes. While it may not be an attack, end-users should be aware of this trick.
Cookies and Regultory Compliances
1. GDPR in the Europian Union
GDPR, while it does not comprehensively cover how cookies should be used, it mentions cookies once in the regulation.
“Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers, or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Since the Cookies are used to identify users that qualify as personal data, it is subject to GDPR. However, companies have a right to process their user’s data as far as they receive consent or have a legitimate interest.
2. ePrivacy Directive in Europian Union
The EPD (ePrivacy Directive), passed in 2002 and later amended in 2009, has since become known as “Cookie Law” since it made it mandatory to give Cookie Consent pop-ups once it was passed. It supplements (in some cases, overrides) the GDPR by addressing crucial aspects of the confidentiality of electronic communications and tracking Internet users more broadly.
3. California Consumer Privacy Act (CCPA)
How to stay protected from Cookie abuse?
1. Delete Browser Cookies frequently
2. Block Third-Party Cookies
Go to settings in your browser configuration and look for an option to block third-party cookies. It will help you block undesired third party cookies.
3. Update your device and browser frequently
Do not be lazy around software updates, as a system update can save you much trouble. It would help if you phased out any legacy hardware, including your much-loved old phone or PC. To know more around how legacy devices can impact your security please refer to our earlier blog post.