Who Left Open the Cookie Jar?

Who Left Open The Cookie Jar?

Cookies have become an important aspect of the modern-day web. By default, browsers automatically attach cookies to all HTTP requests. This allows users to keep track which items they have added to their online shopping basket, or simply to log in to their favorite websites. However, cookies may also be exploited for more nefarious goals: users' online activies are tracked at large-scale by various advertising companies, or so-called cross-site attacks can be used to take over the account of an unwitting user. As a response to this increasing threat surface, a variety of defense mechanisms have been developed: either as anti-tracking or ad-blocking browser extensions, or as built-in browser features such as the Tracking Protection in Firefox, or SameSite cookies, which can be highly effective at thwarting cross-site attacks.

An important prerequisite for these privacy- and security-enhancing features to function properly, is that all requests need to comply with the imposed cookie policies. As browsers have become enormously complex, certain edge-cases may have been overlooked or the interplay of specific features may have unwanted side-effects. In our research, we created a framework to verify whether all imposed cookie- and request-policies are correctly applied (will be made available soon). Worryingly, we found that most mechanisms could be circumvented: for instance for all ad-blocking and anti-tracking browser extensions we discovered at least one technique that could bypass the policies. For the technical details of these findings, we invite you to read our paper, which was presented at USENIX Security ’18.

We have been working with browser vendors and extension developers to mitigate the discovered issues. To verify whether you are affected by our detected bypasses, feel free to explore the data on this website (please note that we are still working to have the most up-to-date information available).

Timeline of discovered issues

  • Bypasses for the Opera AdBlocker discovered

    Jun 28, 2018

    Requests to cross-site blacklisted domains can still be sent using various mechanisms in Opera, while their built-in ad blocker is enabled.

    • Affected browsers: opera
    • Bug report not available (Reported)

  • Various bypasses discovered for the same-site cookie policy in Edge

    Jun 28, 2018

    The same-site cookie policy implemented by Edge can be bypassed through multiple mechanisms.

  • The option to block third-party cookies in Safari 10 does not exclude cookies set in a first-party context from future cross-site requests

    Jun 13, 2018

    When enabling the option to block third-party cookies (called "allow cookies from current website only" in Safari 10), cookies that are set in a first-party context are still included in cross-site requests. It seems that only the setting of cookies is blocked, but not the sending of cookies.

  • Enabling the option to block third-party cookies in Edge has no effect

    Jun 11, 2018

    Third-party cookies are still included in all requests when enabling the option to block these in Edge.

  • The option to block third-party cookies can be bypassed in Chromium through PDF files

    Apr 25, 2018

    JavaScript embedded in PDF files can be used to send GET or POST requests to a cross-site domain. In Chromium this bypasses the option to block third-party cookies.

    • Affected browsers: chrome opera
    • Bug report (Confirmed -> Assigned)

  • Cross-site requests initiated by PDF files bypass the WebExtentension API provided by Chromium

    Mar 22, 2018

    Extensions such as ad blockers or privacy extensions cannot intercept requests initiated by PDF files opened in Chrome or Opera through the WebExtension API.

    • Affected browsers: chrome opera
    • Bug report (Confirmed -> WontFix)

  • Bypasses for the Firefox Tracking Protection discovered

    Mar 22, 2018

    Various mechanisms can be leveraged to bypass Firefox Tracking Protection. This way, cross-site requests directed at blacklisted domains can be sent while this countermeasurement is enabled.

  • Requests initiated by the AppCache API are not easily distinguished from requests initiated by browser background processes.

    Mar 22, 2018

    It is difficult for extension developers to distinguish requests initiated by browsers background processes from requests initiated by websites.

    • Affected browsers: firefox
    • Bug report (Confirmed -> WontFix)

  • Requests to fetch the favicon are not interceptable by Firefox extensions

    Jan 27, 2018

    Extensions for Firefox are not able to intercept (cross-site) requests to fetch the favicon through the WebExtension API.

  • Same-site cookie policy bypass discovered in Chromium

    Apr 10, 2017

    Prerender functionality can be leveraged to initiate cross-site requests including same-site cookies assigned the value strict. This bug was not detected anymore for multiple versions starting from Chrome 62, however, the bug returned in Chrome 66, 67 and 68.

    • Affected browsers: chrome opera
    • Bug report (Confirmed -> Assigned)

Contact

We refer to the article on the DistriNet website for additional information. For questions or suggestions, you can contact us directly by e-mail, or via Twitter.