Closed Bug 1648993 Opened 4 years ago Closed 4 years ago

Cookie that was set with Secure flag over HTTPS is included in request over HTTP when server runs on localhost

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: marc, Unassigned)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(1 file)

PoC.pdf
442.68 KB, application/pdf
Details
Attached file PoC.pdf

When a Cookie that uses the Secure flag is set in a response over HTTPS, browsers must not send back the cookie over HTTP. However, in the current version of Firefox on macOS (Firefox 77.0.1 (64-bit) on macOS Catalina 10.15.5), the Cookie is sent back over HTTP, at least when the server is running on localhost. I didn't check other versions.

I discovered this when doing some analyses on localhost (i.e., the server runs on localhost). This is documented in the attached file. I then tried to reproduce it with web servers in the wild, but I didn't manage to do so. If the issue only happens on localhost, the security impact ist limited. However, if it is also possible with remote servers, the issue is much more serious, as described below.

As such cookies are usually used to identify authenticated sessions, e.g., in e-banking, they are highly security critical and leaking them to an attacker often allows the attacker to hijack the session. A specific attack to get the cookie may look as follows:

  • The victim has an authenticated session with https://www.bank.site and the correspondign cookie was set using the Secure flag.
  • The attacker can read data communicated between the victim and the site, e.g., by being located in the same local network as the victim and redirecting the traffic over his own host using ARP-Spoofing (there are also other ways how the attacker can get onto the communication channel).
  • The attacker sends the victim an e-mail with a link to http://www.bank.site (or uses some other means that has the effect that the victim's browser sends a corresponding request, e.g., by using CSRF).
  • If the victim clicks the link, a request is sent to http://www.bank.site. As the request includes the cookie and as the request will be intercepted by the attacker, the attacker can hijack the authenticated session.
Flags: sec-bounty?

This only affects localhost, not other http sites (as you discovered). We deliberately started treating http-accessed localhost as secure as far as the cookie "Secure" attribute was concerned in bug 1618113, landed in Firefox 75. This is to align it with other parts of the web's HTML5 / DOM specs and when they treat things as "secure" contexts, and to make it easier for web devs to develop sites/apps locally. Chrome is intending to do the same in https://bugs.chromium.org/p/chromium/issues/detail?id=1056543 .

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Type: task → defect
Closed: 4 years ago
Component: Security → Networking: Cookies
Product: Firefox → Core
Regressed by: 1618113
Resolution: --- → INVALID
Has Regression Range: --- → yes
Keywords: regression
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: