The Internet has undergone major technical changes in recent years, which has also led to new security problems. The IT security team at TU Wien (Vienna) analyzed security vulnerabilities that arise from the interaction of cookies and web frameworks – software packages that are often used today by web programmers to create websites. It was discovered that bugs in the way browsers and servers process cookies can, in some cases, allow attackers to access personal accounts and execute unauthorized actions.
The international IT security community is now working to close these loopholes. The findings have now been presented for the first time at two of the most prestigious security conferences Black Hat USA in Las Vegas and USENIX Security in Anaheim, California.
The code is becoming increasingly complex
People often think of access to protected information on the Internet as a door with a lock: if you have the key or know some clever tricks, you can get in. In reality, however, things are much more complicated today: there is no single, well-defined "lock," but rather a multitude of codes that interact in complex ways and are constantly being changed by many people. Protection on the Internet is more like an impenetrable thicket than a locked door.
"In the past, the Internet was merely a distribution platform for information. Today, it's a distribution platform for apps and code," says Marco Squarcina from the Institute for Logic and Computation at TU Wien. For many websites today, so-called frameworks are used – software that contains numerous functions so that parts of the code do not have to be reprogrammed each time. Web servers work with software that changes over the years, and the same is true for browsers.
"Often, security problems arise only because of this complex interaction between different components," says Marco Squarcina. "It may be that two of these components work flawlessly on their own and adhere to all generally accepted security principles, but when you combine them, vulnerabilities suddenly appear." These vulnerabilities can lead, for example, to attackers being able to take over a web session from the outside and impersonate another user to a server – such as the legitimate owner of a particular bank account.
The team is particularly concerned with cookies – small portions of data that are exchanged between the server and the browser, for example to store individual user data for the next time the user visits a website. "We were quite shocked when we found out what security vulnerabilities currently exist here," says Squarcina.
Cookies usually have a name, but technically, nameless cookies are also allowed. In this case, however, certain protection mechanisms fail. This allows the following line of attack: “The attacker visits a legitimate website, let’s call it bank.com, and obtains a session identifier to communicate with the server”, Marco Squarcina explains. “The victim is directed to a compromised subdomain – say hr.bank.com. This site exchanges the session cookie in the victim’s browser for the attacker’s session cookie. When the victim now logs into bank.com again, the attacker can now also log in, since they are sharing the same session identifier.”
That way, the attacker can pretend to be someone else. He can communicate with the web server as if he was the victim and perform unwanted actions or obtain access to the victim’s website account.
No central security authority
In the case of cars, there are clear legal requirements as to which security criteria they must meet in order to be approved. On the Internet, things are more complicated. "Web standards are written by international organizations and validated through expert review, but the nature of the web makes it impossible to have a central authority enforcing their uniform adoption. And, sometimes, like in this case, the issues are also in the standard itself," says Marco Squarcina. "Internet security continues to evolve in a rather disorganized way. When we discover security flaws like these, we get in touch with all affected parties and discuss possible solutions. Big companies like Google have dedicated security teams who can understand the issue and close the gaps quickly. But small open-source projects require additional effort to explain the problem in detail. "
Marco Squarcina now considers the most important security holes surrounding the problems discovered at TU Wien to be closed, but certain dangers still remain. Squarcina has now presented his findings to the international community at two important security conferences in the U.S. This should help raise global awareness and close the gaps in the long term.
Dr. Marco Squarcina
Institut für Logic and Computation
Technische Universität Wien
+43 1 58801 192607