Cookies, the files that websites create in browsers to remember logged-in users and track other information about them, could be abused by attackers to extract sensitive information from encrypted HTTPS connections.
The issue stems from the fact that the HTTP State Management standard, or RFC 6265, which defines how cookies should be created and handled, does not specify any mechanism for isolating them or checking their integrity.
As such, Web browsers don’t always authenticate the domains that set cookies. That allows malicious attackers to inject cookies via plain HTTP connections that would later be transmitted for HTTPS connections instead of those set by the HTTPS sites themselves, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University said in an advisory Thursday.
To read this article in full or to leave a comment, please click here