mailing list archives
Re: Microsoft IE cookies readable via about: URLS
From: Peter W <peterw () usa net>
Date: Thu, 15 Nov 2001 16:39:47 -0500
** resending; the distinction between http and https cookies is
significant, and this about: bug underscores the importance
of using at least one "secure" cookie for extra protection **
On Thu, Nov 08, 2001 at 03:32:54PM +0200, Jouko Pynnonen wrote:
Finally, the about URL may have a hostname placed after the colon, and IE
uses that hostname when determining the cookies to use:
The above URL would result in IE displaying cookies of www.anydomain.fi
in the alert box, assuming that the site has been visited and it has set
a cookie which hasn't expired.
Site admins: be sure to set the "secure" flag on cookies where possible!
A colleague who has tested this (I don't have IE 5.5 or 6.0 handy) reports
at least one nugget of good news: it seems that about: can only be used to
leak non-secure cookies. At least for our site (which uses both secure and
non-secure cookies), only those not flagged secure are visible. So sites
that run under SSL and set the secure flag are OK. But those of us using
cookies on plain old HTTP are in deep trouble. (And rumor has it that at
least one prominent online investment e-trading site, despite using SSL,
does *not* set the secure flags for their cookies, and therefore their
customers using IE 5.5 or IE 6.0 are vulnerable to some degree of account
Unfortunately, a quick survey of some on-line storefronts by prominent tech
companies (Red Hat, IBM, Microsoft) suggests that it's rather popular for
commerce sites to only use non-secure cookies. This despite the discussion
of the "cookie marking" bug in IIS 4 and IIS 5 that prompted patches.
Microsoft: this really, really stinks.