Released : 14th December 98
We have confirmed a bug in the current implementation of the cookie protocol. The bug allows cookies to override the current domain restrictions enforced on the sharing of cookies. According to the Netscape specifications, cookies can only be set and read by the domain in which they are active, for instance Amazon.com can only read and set cookies within the Amazon.com domain. (note - for more information on cookies visit the main page)
The exploit allows a site to set cookies that can be shared between unrelated domains. The script overrides the domain restrictions by placing three '.' characters appended to the domain name. This confuses the browser about the top-level domain. To our knowledge, all the mainstream browsers are vulnerable to this exploit. Internet Explorer and Netscape are all known to be venerable on the Windows, Mac and Linux platforms.
Demonstrating this exploit, a domain name can set a cookie and then an unrelated domain can read it.
You can see this at work: -
Set the cookie from here:
Then retrieve it on another (unrelated) server like this:
Normally, the Project9.com domain would not have any access to cookies set from cookiecentral.com, however by confusing the browser using the three dots, this allows universal sharing of the cookie.
The current cookie protocol enforces a privacy model that restricts the interaction of cookies from different domains. By confusing the browser over the domain name, it does not know which domain to restrict the cookie to; therefore it is accessible through any domain. The problem is not within the protocol itself but the implementation of the specifications by the browser companies.
- This only affects URLs using domain names, not IP numbers.
- To our knowledge, cookies set in an official manner cannot be read by the exploit.
- The cookie must be set in a special way for the exploit to work.
- When setting the cookie, the path attribute seems to be a mandatory piece of the header. Our example is set to path="/",
- We have also discovered that Internet Explorer does not store this type of cookie in a persistent state, probably because it can't store the domain value in the special user@domain
format IE uses. However, it does store it a session cookie.
24th Dec - Another bug called The Cookie Monster has been discovered, this bug is similar to the one demonstrated on this page, however this exploit affects servers on Non-US Domains.
14th Dec - The Microsoft Product Security Response Team has acknowledged our report and have passed the information onto their Internet Explorer development team, who will try to reproduce the bug.