Re: Microsoft IE cookies readable via about: URLS

[Peter W <peterw () usa net>]

** resending; the distinction between http and https cookies is
   significant, and this about: bug underscores the importance
   of using at least one "secure" cookie for extra protection **

On Thu, Nov 08, 2001 at 03:32:54PM +0200, Jouko Pynnonen wrote:

> Finally, the about URL may have a hostname placed after the colon, and IE
> uses that hostname when determining the cookies to use:
>
> about://www.anydomain.fi/<script language=JavaScript>alert(document.cookie);</script>
>
> The above URL would result in IE displaying cookies of www.anydomain.fi
> in the alert box, assuming that the site has been visited and it has set
> a cookie which hasn't expired.

Site admins: be sure to set the "secure" flag on cookies where possible!

A colleague who has tested this (I don't have IE 5.5 or 6.0 handy) reports
at least one nugget of good news: it seems that about: can only be used to
leak non-secure cookies. At least for our site (which uses both secure and
non-secure cookies), only those not flagged secure are visible. So sites
that run under SSL and set the secure flag are OK. But those of us using
cookies on plain old HTTP are in deep trouble. (And rumor has it that at
least one prominent online investment e-trading site, despite using SSL,
does *not* set the secure flags for their cookies, and therefore their
customers using IE 5.5 or IE 6.0 are vulnerable to some degree of account
information theft!)

Unfortunately, a quick survey of some on-line storefronts by prominent tech 
companies (Red Hat, IBM, Microsoft) suggests that it's rather popular for 
commerce sites to only use non-secure cookies. This despite the discussion 
of the "cookie marking" bug in IIS 4 and IIS 5 that prompted patches.[0]

Microsoft: this really, really stinks.

-Peter

[0] http://www.ciac.org/ciac/bulletins/l-010.shtml