[13741] in bugtraq
Re: Evil Cookies.
daemon@ATHENA.MIT.EDU (Thomas Reinke)
Mon Feb 7 18:43:26 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <389BBC17.8E345E74@e-softinc.com>
Date: Sat, 5 Feb 2000 00:58:47 -0500
Reply-To: Thomas Reinke <reinke@E-SOFTINC.COM>
From: Thomas Reinke <reinke@E-SOFTINC.COM>
X-To: Iain Wade <iwade@OPTUSNET.COM.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
I believe that Netcsape may have had to break their own spec here.
Consider a valid domain such as "tdbank.ca" (a Financial Institution
in Canada). They have a top level domain that is not in the
list allowing 2 periods. If Netscape enforced the spec, web sites
in this domain (e.g. www.tdbank.ca) would never be able to set
cookies to all hosts in that domain (e.g. www.tdbank.ca,
secure.tdbank.ca).
I suspect Netscape will probably allow any domain with 2 dots
in it (.anydomain.tld)
So, as a result, in areas where the domain hierarchy runs
a bit deeper (.com.uk, .com.au) it would be possible for
a site to set a cookie that then was sent to every other
site in that same hierarchy.
There is no easy patch to this problem. The only solution I
can think of, which is not an easy one, would be to have browsers
have intimate knowledge of what constitutes an organization's
"domain of influence", and limit cookies accordingly. This
is essentially impossible to implement.
(Consider domain.city.state.country - where is the allowable
domain of influence here? Probably 4 levels deep, but how
to indicate this to the browser).
I don't think that this makes data collection any easier -
but it DOES make data dissemination easier. It's a no-win
for the marketing folks, because they want to collect as
much data as possible, and give out as little as possible
except to those who pay for it.
In this case, this capability simply makes it easier for
a marketing company to set a cookie that gets sent to
all web sites. Big deal - either they end up giving away
their information for free (don't bet on it), or they
put very little into the cookie that is of any value to
begin with.
Unless someone can think of some sinister twist to which this
capability can be put to use?
Cheers, Thomas
Iain Wade wrote:
>
> Hello,
>
> I have an evil cookie observation I'd like to share:
>
> While developing some CGI stuff, I noticed that my browser was sending a
> cookie which didn't make sense since I had control of that domain and I
> hadn't issues any cookies .. the name "CyberTargetAnonymous" didn't fill
> me with confidence either.
>
> After refreshing my knowledge of cookies at netscapes developer site
> below I noticed something strange:
> http://developer.netscape.com:80/docs/manuals/communicator/jsguide4/cookies.htm
>
> In the section "Determining a valid domain" is this little gem:
>
> <quote>
> If the domain attribute matches the end of the fully qualified domain
> name of the host, then path matching is performed to determine if
> the cookie should be sent. For example, a domain attribute of
> royalairways.com matches hostnames anvil.royalairways.com and
> ship.crate.royalairways.com.
>
> Only hosts within the specified domain can set a cookie for a domain. In
> addition, domain names must use at least two or three periods.
> Any domain in the COM, EDU, NET, ORG, GOV, MIL, and INT categories
> requires only two periods; all other domains require at least three
> periods.
> </quote>
>
> So my questions are these:
>
> a) Why would Netscape Communicator 4.7 accept a cookie like this
> (invalid -- only two periods):
>
> .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous
> NMN000CDCF833FA08963E9BDBC6CAA59301
>
> b) How can this be used by some mass marketing company to turn me into a
> number in their systems for sale to the highest bidder?
>
> Just because you're paranoid doesn't mean they're not all out to get
> you.
>
> --
> Iain Wade
--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
