Half-Baked Cookies: Client Authentication on the Modern Web
MetadataShow full item record
Modern websites set multiple authentication cookies during the login process to allow users to remain authenticated over the duration of a web session. Web applications use cookie-based authentication to provide different levels of access and authorization; the complexity of websites’ code and various combinations of authentication cookies that allow such access introduce potentially serious vulnerabilities. For example, an on-path attacker can trick a victim’s browser into revealing insecure authentication cookies for any site, even if the site itself is always accessed over HTTPS. Analyzing the susceptibility of websites to such attacks first requires a way to identify a website’s authentication cookies. We developed an algorithm to determine the set of cookies that serve as authentication cookies for a particular site. Using this algorithm, which we implemented as a Chrome extension, we tested 45 websites and found that an attacker can gain access to a user’s sensitive information on sites such as GoDaddy, Yahoo Search, Comcast, LiveJournal, stumbleupon, and Netflix. In cases where these sites cannot enable site-wide HTTPS, we offer recommendations for using authentication cookies that reduce the likelihood of attack. Based on these recommendations, we develop a tool, Newton, that website administrators can use to audit the security of a site’s cookie-based authentication and users can run to identify vulnerabilities at runtime.