HTTP Cookie Hijacking in the Wild: Security and Privacy Implications

Presented at Black Hat USA 2016, Aug. 4, 2016, 9:45 a.m. (50 minutes).

The widespread demand for online privacy, also fueled by widely-publicized demonstrations of session hijacking attacks against popular websites (see Firesheep), has spearheaded the increasing deployment of HTTPS. However, many websites still avoid ubiquitous encryption due to performance or compatibility issues. The prevailing approach in these cases is to force critical functionality and sensitive data access over encrypted connections, while allowing more innocuous functionality to be accessed over HTTP. In practice, this approach is prone to flaws that can expose sensitive information or functionality to third parties. In this work, we conduct an in-depth assessment of a diverse set of major websites and explore what functionality and information is exposed to attackers that have hijacked a user's HTTP cookies. We identify a recurring pattern across websites with partially deployed HTTPS; service personalization inadvertently results in the exposure of private information. The separation of functionality across multiple cookies with different scopes and inter-dependencies further complicates matters, as imprecise access control renders restricted account functionality accessible to non-session cookies. Our cookie hijacking study reveals a number of severe flaws; attackers can obtain the user's home and work address and visited websites from Google, Bing and Baidu expose the user's complete search history, and Yahoo allows attackers to extract the contact list and send emails from the user's account. Furthermore, e-commerce vendors such as Amazon and Ebay expose the user's purchase history (partial and full respectively), and almost every website exposes the user's name and email address. Ad networks like Doubleclick can also reveal pages the user has visited. To fully evaluate the practicality and extent of cookie hijacking, we explore multiple aspects of the online ecosystem, including mobile apps, browser security mechanisms, extensions and search bars. To estimate the extent of the threat, we run IRB-approved measurements on a subset of our university's public wireless network for 30 days, and detect over 282K accounts exposing the cookies required for our hijacking attacks. We also explore how users can protect themselves and find that, while mechanisms such as the EFF's HTTPS Everywhere extension can reduce the attack surface, HTTP cookies are still regularly exposed. The privacy implications of these attacks become even more alarming when considering how they can be used to deanonymize Tor users. Our measurements suggest that a significant portion of Tor users may currently be vulnerable to cookie hijacking.


Presenters:

  • Suphannee Sivakorn - Columbia University
    Suphannee Sivakorn is a PhD student in the Department of Computer Science at Columbia University. Her research interests lie in the security and privacy aspects of social networks and web security. Suphannee holds a MS (2013) in Computer Science from New York University, and a BEng(2010) in Computer Engineering from Mahidol University.
  • Jason Polakis - Columbia University
    Jason Polakis is a Postdoctoral Research Scientist in the Department of Computer Science at Columbia University. He is broadly interested in identifying the security and privacy limitations of Internet technologies, designing robust defenses and privacy-preserving techniques, and enhancing our understanding of the online ecosystem and its threats. His research has revealed significant flaws in popular services, and major vendors have deployed his proposed defenses. His work has been published in top tier security conferences (Security and Privacy, CCS, and NDSS) as well as other top tier computer science conferences (WWW).

Links:

Similar Presentations: