Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Evil Cookies.
From: reinke () E-SOFTINC COM (Thomas Reinke)
Date: Sat, 5 Feb 2000 00:58:47 -0500


I believe that Netcsape may have had to break their own spec here.
Consider a valid domain such as "tdbank.ca" (a Financial Institution
in Canada).  They have a top level domain that is not in the
list allowing 2 periods. If Netscape enforced the spec, web sites
in this domain (e.g. www.tdbank.ca) would never be able to set
cookies to all hosts in that domain (e.g. www.tdbank.ca,
secure.tdbank.ca).

I suspect Netscape will probably allow any domain with 2 dots
in it (.anydomain.tld)

So, as a result, in areas where the domain hierarchy runs
a bit deeper (.com.uk, .com.au) it would be possible for
a site to set a cookie that then was sent to every other
site in that same hierarchy.

There is no easy patch to this problem. The only solution I
can think of, which is not an easy one, would be to have browsers
have intimate knowledge of what constitutes an organization's
"domain of influence", and limit cookies accordingly. This
is essentially impossible to implement.

(Consider  domain.city.state.country - where is the allowable
domain of influence here? Probably 4 levels deep, but how
to indicate this to the browser).

I don't think that this makes data collection any easier -
but it DOES make data dissemination easier. It's a no-win
for the marketing folks, because they want to collect as
much data as possible, and give out as little as possible
except to those who pay for it.
In this case, this capability simply makes it easier for
a marketing company to set a cookie that gets sent to
all web sites. Big deal - either they end up giving away
their information for free (don't bet on it), or they
put very little into the cookie that is of any value to
begin with.

Unless someone can think of some sinister twist to which this
capability can be put to use?

Cheers, Thomas

Iain Wade wrote:

Hello,

I have an evil cookie observation I'd like to share:

While developing some CGI stuff, I noticed that my browser was sending a
cookie which didn't make sense since I had control of that domain and I
hadn't issues any cookies .. the name "CyberTargetAnonymous" didn't fill
me with confidence either.

After refreshing my knowledge of cookies at netscapes developer site
below I noticed something strange:
http://developer.netscape.com:80/docs/manuals/communicator/jsguide4/cookies.htm

In the section "Determining a valid domain" is this little gem:

<quote>
If the domain attribute matches the end of the fully qualified domain
name of the host, then path matching is performed to determine if
the cookie should be sent. For example, a domain attribute of
royalairways.com matches hostnames anvil.royalairways.com and
ship.crate.royalairways.com.

Only hosts within the specified domain can set a cookie for a domain. In
addition, domain names must use at least two or three periods.
Any domain in the COM, EDU, NET, ORG, GOV, MIL, and INT categories
requires only two periods; all other domains require at least three
periods.
</quote>

So my questions are these:

a) Why would Netscape Communicator 4.7 accept a cookie like this
(invalid -- only two periods):

.com.au TRUE    /       FALSE   1264987602      CyberTargetAnonymous
NMN000CDCF833FA08963E9BDBC6CAA59301

b) How can this be used by some mass marketing company to turn me into a
number in their systems for sale to the highest bidder?

Just because you're paranoid doesn't mean they're not all out to get
you.

--
Iain Wade

--
------------------------------------------------------------
Thomas Reinke                            Tel: (905) 331-2260
Director of Technology                   Fax: (905) 331-2504
E-Soft Inc.                         http://www.e-softinc.com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]