HTTP Cookie Hijacking in the Wild: Security and Privacy Implications

Black Hat USA 2016

Presented by: JasonPolakis, Suphannee Sivakorn
Date: Thursday August 04, 2016
Time: 09:45 - 10:35
Location: South Seas IJ

The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking.

Suphannee Sivakorn

Suphannee Sivakorn is a PhD student in the Department of Computer Science atColumbia University. Her research interests lie in the security and privacyaspects of social networks and web security. Suphannee holds a MS (2013) inComputer Science from New York University, and a BEng(2010) in ComputerEngineering from Mahidol University.

JasonPolakis

Jason Polakis is a Postdoctoral Research Scientist in the Department ofComputer Science at Columbia University. He is broadly interested inidentifying the security and privacy limitations of Internet technologies,designing robust defenses and privacy-preserving techniques, and enhancing ourunderstanding of the online ecosystem and its threats. His research hasrevealed significant flaws in popular services, and major vendors havedeployed his proposed defenses. His work has been published in top tiersecurity conferences (Security and Privacy, CCS, and NDSS) as well as othertop tier computer science conferences (WWW).


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats