Understanding Internet Cookies: Privacy & Security Risks (2024)

General security

Anyone who regularly browses the internet must have seen some sort of pop-up or other form of alert about the use of cookies. Some sites even give you the option to accept cookies completely or only partially. So, there is an important question to answer: is it safe to enable cookies?

In truth, the use of cookies can be traced back to the dawn of the world wide web. In 1994, a Netscape Communications employee created them as a solution that would help make shopping carts for e-commerce stores possible. They have been widely used since then. However, even today, most internet users still do not understand exactly what they are or how their use can pose risks to information security and privacy.

Concerns in this area are also not exactly new. For example: in 2011, the European Union approved the Cookie Law: even though some people were a bit disappointed after discovering it would not make access to delicious chocolate cookies a fundamental human right, this new regulation was another important step towards protecting personal data and guaranteeing the right to privacy. It basically states that websites need to seek consent before exposing you to cookies.

Simply put, cookies are an important tool on the internet and have the potential to give businesses a great deal of insight into their users’ online activity. Far beyond the privacy-related issues, there are many ways that unprotected cookies can be manipulated and expose both users and organizations to severe security incidents.

What are cookies and how do they work?

Cookies are small text files that websites place on your devices as you are browsing. In fact, the cookies themselves are quite harmless; they are processed and stored by your web browser and are fundamental to some functions on websites, such as the aforementioned shopping carts.

Cookie usage is very simple to describe. When you visit a website, your browser sends a request; the website replies with the requested information and a cookie that is stored in your browser. Whenever you send another request to the same site, your browser also sends the cookie, so you can be easily identified. This can be used in functions such as selecting a language on a multilingual website, keeping your user authenticated or tracking your actions. In fact, it’s quite possible that there are literally thousands of cookies stored in your browser right now.

There are three basic types of cookies, and each has a specific purpose:

Session cookies: These are temporary cookies. They should only be valid for a single session and disappear once you close your browser, as they are usually kept in active memory. This is the most common type of cookie. Basically, they tell the server that all your requests (within a period of time) came from the same source and should be treated as a single session.
Permanent cookies: This type of cookie is used to identify you for a longer period, over multiple different sessions. It is also known as a persistent cookie. These cookies are stored in your hard drive and will not be deleted automatically.Permanent cookies have two basic functions: Authentication and Tracking. For example, each time you activate a “remember me” or “keep me logged in” on a website, you are using a permanent cookie for authentication purposes.Now for the tracking part. Most of the time they are automatically activated, and unless the website provides you with an alert or gives the option to disable unnecessary cookies, this can be done without you even knowing it.

First-party and third-party cookies: Some cookies are created by the website you are visiting. For example, most session cookies are first-party cookies. But there is also the case of cookies being created by a website you are not even visiting: these are third-party cookies, also known as marketing or advertising cookies, and are used for tracking a user and gathering information over different websites.As third-party cookies gather more and more information, they are used to provide a “personalized experience.” For most cases, this means you will be receiving custom ads based on information such as previous queries, behaviors, geographic location, interests and more.

So, if temporary cookies vanish automatically and persistent cookies usually can be easily viewed and deleted, then what’s the fuss about? Well, for starters, third-party cookies can represent a severe risk to privacy, but that’s not the only problem. There are several types of frauds and cyberattacks based on exploiting cookies vulnerabilities, and that may lead to severe security incidents.

Cookie risks

It’s not like you can get a virus from a cookie; after all, they are just simple text files and do not contain any sort of executable. Yet, depending on how cookies are used and exposed, they can represent a serious security risk.

For instance, cookies can be hijacked. As most websites utilize cookies as the only identifiers for user sessions, if a cookie is hijacked, an attacker could be able to impersonate a user and gain unauthorized access.

This may happen in several different ways:

Capturing cookies over insecure channels: Any cookie related to authentication should always be transmitted securely, but that is not always the case. One example is cookies without a security flag. When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL/TLS channels. If the secure flag is not set, a cookie can be transmitted in cleartext — for instance, if the user visits any HTTP URLs within the cookie's scope. This would allow an attacker eavesdropping network traffic to easily capture the cookie and use it to gain illegitimate access.
Session fixation: This is another attack that allows an attacker to hijack a valid user session. This time, it exploits a limitation in the way the web application manages the session ID. For example, if an application allows a session token in the query parameters, an attacker may send a user an URL with a specific session ID included in its arguments. Now, when the user authenticates by using this URL, the attacker can hijack the session.
Cross-site scripting (XSS): Another way to steal cookies is using cross-site scripting to exploit websites that allows users to post unfiltered HTML and JavaScript content. For example, if a user clicks on a malicious link posted by an attacker, it may execute the JavaScript code and cause the victim's web browser to send the victim's cookies to a website the attacker controls.
Cross-site request forgery (CSRF): This is a type of attack that exploits a website by making it execute unauthorized commands that are transmitted from a user that the web application trusts.In a CSRF attack, the attacker's objective is to use an innocent victim to unknowingly submit a maliciously crafted web request to a website that the victim has privileged access to. Since the victim is already logged, any request coming from his browser will be deemed as trustworthy and be executed. For an CSRF attack to work, an attacker must first identify a reproducible web request that executes a specific action — for example, changing a password on the target page. Once such a request is identified, a link can be created that generates this malicious request and that link can be embedded on a page within the attacker's control. Even worse, it may not even be necessary for the victim to click the link. For instance, it may be embedded within an html image tag on an email sent to the victim, which will automatically be loaded when the victim opens their email.

Cookie tossing: A cookie tossing attack is based on providing a user with a malicious cookie that has been designed to look like it came from the targeted site’s subdomain. Of course, this becomes especially problematic when a website allows untrusted people to host subdomains under its domain. When the user visits the target site, all cookies are sent, both valid and the ones appearing to be from subdomains.

In this attack, the ability to take over a session is quite limited, because the attacker can only write information, not read anything. However, cookie tossing can be used to set arbitrary cookie values that, in some cases, can be used for a CSRF attack or an XSS injection, depending on what the main domain does with the content of the cookie.

Cookies may also represent a severe risk to privacy. Their usage in tracking users evolved significantly throughout the years, from simple operations such as counting ad impressions, views and clicks, to limiting popups and preserving ad sequence, marketing cookies are now able to perform user profiling/website preference tracking. With most of the largest websites using large-scale third-party ad serving networks such as Google's Adsense/Adwords, this attracted a lot of controversy and concern amongst online consumer privacy groups, to the point of specific regulations being developed to prevent abuse.

Concluding thoughts

So: is it safe to enable cookies? In short, yes, of course it can be! Of course, cookies carry several security and privacy risks, but they can also be very useful and provide essential functions to most current websites. Therefore, completely disabling cookies is not a feasible approach.

The focus should be on making sure that cookies are used in a secure way. There are many simple steps a developer can take to mitigate vulnerabilities — for example, enabling the HTTPOnly flag when generating a cookie helps mitigate the risk of client-side script accessing the protected cookie. Similarly, the Secure Cookie flag prevents the cookie from being sent over an unencrypted HTTP request, eliminating the possibility of it being observed by unauthorized parties due to the transmission of the cookie in cleartext.

There are also basic steps a user can take to avoid cookie-related security risks. For instance, it is essential to keep your browser updated. Also, most modern browsers allow you to easily delete or even block cookies. If you are not satisfied, there are a number of browser plugins/extensions to manage or even auto-delete cookies. This can also be applied to privacy-related problems, as it makes it easier to block those nasty advertising cookies.

It is just as an old Oracle used to say:

“Here, take a cookie. I promise, by the time you're done eating it, you'll feel right as rain.”

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

Sources

Session fixation, OWASP
Secure Cookie Flag, OWASP
Are You Using Cookies? Then This Ultimate Guide Is For You, HTML.com
What are cookies?, Internet Cookies

As an expert in cybersecurity with a profound understanding of internet security and privacy, I'd like to delve into the concepts covered in the provided article about general security, focusing on cookies and their implications. My expertise in the field is grounded in years of hands-on experience, research, and a deep understanding of cybersecurity principles.

Cookies: An Overview

Cookies are small text files that websites place on users' devices during browsing sessions. They play a crucial role in various online functionalities, such as shopping carts, language preferences, user authentication, and activity tracking. Despite being seemingly harmless, cookies can pose significant risks to information security and privacy.

Types of Cookies:

Session Cookies:
- Temporary cookies valid for a single session.
- Stored in active memory.
- Used to identify requests from the same source within a specific time frame.
Permanent Cookies:
- Also known as persistent cookies.
- Identify users over multiple sessions.
- Stored on the hard drive and not deleted automatically.
- Used for authentication and tracking purposes.
First-Party and Third-Party Cookies:
- First-party cookies created by the visited website.
- Third-party cookies, also known as marketing or advertising cookies, created by a website not directly visited.
- Used for tracking users across different websites, often leading to personalized experiences and targeted advertising.

Cookie Risks:

Hijacking Cookies:
- Cookies can be hijacked, allowing attackers to impersonate users and gain unauthorized access.
- Insecure transmission of cookies over unencrypted channels can expose them to interception.
Session Fixation:
- Attackers exploit the way web applications manage session IDs to hijack valid user sessions.
- For example, sending a user an URL with a specific session ID, allowing the attacker to hijack the session upon authentication.
Cross-Site Scripting (XSS):
- Malicious code executed through websites that allow unfiltered HTML and JavaScript content.
- Can lead to the theft of user cookies and compromise privacy.
Cross-Site Request Forgery (CSRF):
- Exploits websites to execute unauthorized commands transmitted from a trusted user's browser.
- CSRF attacks leverage the trust established during an active session.
Cookie Tossing:
- Involves providing a user with a malicious cookie designed to appear from the targeted site's subdomain.
- Limited in session takeover ability but can set arbitrary cookie values for potential CSRF or XSS attacks.

Privacy Concerns:

Cookies, particularly third-party ones, have evolved into tools for extensive user tracking, from ad impressions to user profiling and website preference tracking. This evolution has led to privacy concerns, prompting the development of regulations to prevent abuse by large-scale ad networks.

Mitigation and Best Practices:

Developers can mitigate vulnerabilities by enabling security features like the HTTPOnly and Secure Cookie flags.
Users can take basic steps such as keeping browsers updated, deleting or blocking cookies, and using plugins/extensions to manage or auto-delete cookies.

In conclusion, while cookies are essential for the functionality of many websites, it's crucial to address the associated security and privacy risks. By implementing best practices and staying informed about potential threats, both developers and users can navigate the online landscape securely.