mailing list archives
RE: Third party cookie handling in Opera can lead to potential compromises in Servers relying on redirection
From: "Rohit Dube" <rohit () kritikalsolutions com>
Date: Tue, 24 Aug 2004 09:49:48 +0530
How do mozilla and IE do this? In case they are allowing overwriting of
cookie from one domain by another domain, it can be much worse.
KritiKal Solutions Private Limited
Block One Extension
Prediction is very difficult, especially of the future.
From: George Capehart [mailto:gwc () acm org]
Sent: Friday, August 20, 2004 3:58 AM
To: bugtraq () securityfocus com
Subject: Re: Third party cookie handling in Opera can lead to potential
compromises in Servers relying on redirection
On Tuesday 17 August 2004 04:34, Rohit Dube allegedly wrote:
Opera's policy with respect to third party cookie makes it
vulnerable to session replay attacks. This was discovered 2 weeks
back. Opera's response to the same is attached. The issue and the
workaround are listed below.
Opera claims to be the fastest browser on earth and has the third
largest user base.
cookies, some servers (one is mail.yahoo.com) become susceptible to
session replay attacks. Reproduction steps, for mail.yahoo.com are:
<snip rest of discussion>
Seems to me that it's not Opera that is "at fault." Browsers don't have
sessions for which they need to maintain state. Application servers
do, though. Shame on Yahoo for not maintaining state. This is a
do not maintain their own idea of state and which don't protect
themselves against session replay attacks. Rule #1 of (especially
distributed) applications: DO NOT TRUST INPUT FROM A DOMAIN UNDER
WHICH YOU HAVE NO CONTROL!!!!!! This is just plain bad practice.
My 0.02 $CURRENCY
George W. Capehart
Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA
"With sufficient thrust, pigs fly just fine." -- RFC 1925