Lock on top of a close up image of data chip

5 Security Issues with Cookies

June 9, 2021

When you visit web pages, chances are you just want to enjoy some quick content. Of course, before you get to the good stuff, a pop-up screen appears explaining the website’s cookie policy. You quickly click “accept” to get that annoying screen out of the way and to go about your business.

If you’re like most people, you don’t even think about what that acceptance means, or the possible related security risks. You just click the button and move on. But there could be some security issues with cookies you may want to know about.

Computer cookies are simple text files stored in your web browser as you peruse the internet. When you visit a website for the first time, your browser sends a request. The website, in turn, sends your browser a cookie. When you return to that same website, your browser sends the cookie instead of a request, letting the browser know who you are and that you’ve been there before.

Since the website “remembers” you, it can automatically set your preferences like language or unique color settings or provide suggestions based on your interests. That’s how big websites like Facebook and YouTube always seem to know what type of content to suggest.

Cookie usage is very common on the internet. According to reports, 43.8% of all websites use cookies. While cookies themselves are quite harmless, 81.5% of cookies are non-secure, which could lead to security risks. Here’s what you need to know about security issues from computer cookies and how to remain secure online.

5 Security Issues with Cookies

Computer cookies, for the most part, are beneficial to your online experience. They help websites provide personalized experiences for each user—which is incredible, considering the number of online users. But like anything online, hackers, cybercriminals and bad actors have discovered ways to utilize cookies to take advantage of people.

Before diving into the specific security issues with cookies, it’s important to understand the different types. Computer cookies can be broken down into three categories:

  • Session cookies – Stored in your computer’s active memory (RAM) and deleted once you close your browser, they’re only present during your browsing session. If you visit a secured website requiring a password, session cookies are what allows you to hop from page to page without needing to log in every time.
  • Persistent cookies – Stored in your computer’s hard drive permanently, persistent cookies are used to update your preferences when you visit a website. They’re used to analyze a user’s browsing habits. If you click “remember me” on a website’s login portal, persistent cookies will keep you logged in, even after you close the browser.
  • Flash cookies – Similar to persistent cookies, except they’re stored as Adobe Flash files instead of text files, these contain the same data and work just like other cookies.

Different types of cyber cookies all help to create seamless online experiences every time you use the internet, but they can also pose a threat if you’re not careful.

Here are five security issues with cookies that you should know about:

1. Cross-Site Request Forgery Attack (XSRF)

The main problem with cookies is that websites can’t distinguish if requests come from the actual user or someone else. This “cookie neutrality” is something cybercriminals can take advantage of to initiate a malicious action.

Whenever a website finds cookies, it automatically initiates the action in the cookie’s request. Online criminals can program malicious websites to initiate negative actions—like deleting files—when they find cookies from another reputable website. This is called a cross-site request forgery attack (XSRF).

For example, you might visit a popular, legitimate website and have cookies downloaded on your hard drive. We’ll call the site “www.verygood.com.” An attacker can embed a link to delete specific actions of “www.verygood.com” and post it to another website like “www.notgood.com.” When you visit www.notgood.com, the web server sees you have cookies from www.verygood.com, interprets it as a valid request, and initiates the delete action set by the attacker.

They’re using your legitimate cookies from other websites to initiate malicious actions when you visit another site.

2. Session Fixation

Every time you visit a website requiring a login, your computer will store session cookies for as long as your browser is open. That way, you won’t have to log in every time you visit a new page on the site. While that might provide a more seamless online experience, it can allow for attackers to hijack your legitimate session ID.

If a website allows session IDs in the query parameters, an attacker can include a specific session ID in the URL. If they send that URL to a user and the user logs into the website using their legitimate credentials, the attacker can then take over that session and gain access to the user’s account.

3. Cross-Site Scripting (XSS)

Cross-site scripting (XSS) can occur on any websites that allow users to write and post unfiltered JavaScript and HTML content.

In this type of cyber security breach, the attacker writes malicious code and posts it to a legitimate, trusted website. When the unsuspecting user visits the website, their browser is unaware the content should not be trusted. It executes all the scripts and grants access to any session tokens, cookies, or other sensitive information the browser has retained regarding that site—including login information. The attacker can steal this data.

4. Cookie Tossing Attack

Some websites use unsecured cookies without a path or domain name. That means if there’s more than one cookie, the browser will randomly pick which one to use. Online attackers are finding ways to use this loophole to break into user accounts.

Attackers create a fake subdomain cookie for a legitimate website and send it to a user. When the user visits that website, the server has to choose which cookie to use. Sometimes it chooses the legitimate cookie, but other times it’ll pull the attacker’s fake cookie. If it does, the attacker will be able to take over the session and gain access to the user’s account.

This is called “cookie tossing” because the attackers simply “throw” a fake cookie to the user and hope the ploy works. This type of attack only works for websites that use unsecured cookies without domain paths and HttpOnly attributes.

Cooking tossing attacks are one of the most common types of cookie-related security issues.

5. Cookie Capturing

If a cookie is being used for authentication purposes—like keeping you logged into a website—it should always be sent via secure SSL/TLS channels. When sent securely, cookies are assigned a “secure flag” letting the browser know that content should only be accessed through these safe channels.

While it’s always best practice to require secure cookie transmissions, not all websites follow those suggestions. If a website allows for cookies to be sent using cleartext, which is unsecured, an attacker could potentially eavesdrop on network traffic to capture the unsecured cookie. They can then use that information to gain illegitimate access to the user’s account on the website.

Tips to Safely Manage Internet Cookies and Privacy

After finding out about all the security issues with cookies, you might be wondering, “are cookies dangerous?” They don’t have to be!

For the most part, cookies are completely safe. Of course, like anything on the internet, attackers are exploiting them to gain access to your accounts. The best way to protect yourself from security problems regarding internet privacy and cookies is to actively manage and monitor cookies on your device.

Here are a few tips to keep your accounts and websites secure from cookie-based attacks:

  • Require a secure connection – the main culprit for cookie-based attacks is an unsecured connection. Configure your browser to send cookies only over secured SSL connections. It might mean that some parts of certain websites won’t have access to cookies, but at least your accounts will remain secure.
  • Don’t share with subdomains – The more subdomains allowed access to your cookies, the higher the risk of attack. Setting your cookies for domains only, like “www.example.com,” will ensure cookies are sent only when there’s an exact match. Setting cookies to include subdomains, like “.example.com,” will also include subdomains like “blog.example.com,” “forum.example.com,” and other areas of the website.
  • Use the HttpOnly flag – A HttpOnly flag tells the browser not to allow JavaScript to access the cookie. This is the best defense against XSS attacks because it prevents hackers from being able to retrieve and use information across sites.

Since cookies are always being added, deleted or changed, it’s a good idea to actively monitor and manage your cookie settings in your web browser. That way, you can be sure you’re always adhering to the best practices when it comes to managing your internet cookies and privacy.

Keep Your Accounts Safe from Security Issues with Cookies

While cookies are highly beneficial for your online experience and are mostly safe, there are some security concerns you should be aware of. Make sure your browser sends cookies only through secure connections; doesn’t share with subdomains and uses HttpOnly flags. That way you can keep online attackers at bay while maintaining a smooth browsing experience.

Of course, even the best cookie management won’t ensure complete protection from online threats. It’s always a good idea to work with an experienced managed security firm to monitor your networks and protect you from attacks. If an attack does make it through, they’ll be able to contain the issue and mitigate the impact to your systems.

If you’re looking for the best in cybersecurity, trust the experts at Quadrant Information Security. We have years of experience protecting businesses from anything the internet can throw at them.

Contact us today to find out if our proven security strategies are right for your business.

Tablet with stylus