New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 540525 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Oct 16
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Chrome doesn't honor cookie deletion from third party sites

Reported by rshu...@gmail.com, Oct 7 2015

Issue description

This template is ONLY for reporting security bugs. Please use a different
template for other types of bug reports.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs


VULNERABILITY DETAILS
In contrast to other browsers, Set-Cookie requests to delete cookies from third party sites are not honored.

VERSION
Chrome Version: See below
Operating System: Android 5.1.1

REPRODUCTION CASE

Report Details

Email Subject: [8-8433000008788] other in Chrome for Android

Category: other

Product: Chrome for Android

Cid: 8-8433000008788

With Chrome (45.0.2454.94), Chrome Beta (46.0.2490.34), or Chrome Dev (47.0.2507.0) on Android 5.1.1 (LMY48M) on a Nexus 7, visit https://www.earnbymicrosoft.com/ and sign in with a Microsoft account. Now sign out from the hamburger menu in the upper right. This will reference https://www.earnbymicrosoft.com/expirecookie?ct=99.99. It is this request and response that demonstrate the security vulnerability. No cookies are sent with this request though they are sent with the previous and following requests to the same host. More importantly, the Set-Cookie headers in the response to delete the auth cookies are not honored. The cookies are still sent on subsequent requests. The consequence of this is that the user is still signed in.

If you enable third party cookies, Chrome works.<br> <br> Safari on iOS9 with cookies configured for "Allow from Current Website Only" works. So does Safari on iOS 9.1 beta with the same setting.

Internet Explorer and Edge on Windows 10, both configured to block third party cookies, both work.

 

Comment 1 by f...@chromium.org, Oct 7 2015

Labels: -Restrict-View-SecurityTeam -Type-Bug-Security Restrict-View-ChromePrivacy Type-Bug Cr-Privacy Cr-Internals-Network-Cookies
I have tried to reproduce this but failed (Nexus 6, Chrome 45.0.2454.94):

1) Created a microsoft account
2) Clicked on "sign in" at https://www.earnbymicrosoft.com/
3) Signed in using microsoft site.
4) Clicked on "sign out" in the hamburger menu.
5) Went to https://www.earnbymicrosoft.com/ again. Observed that I need to sign in again.

Did I miss anything in the reproduction steps?

Comment 3 by rshu...@gmail.com, Oct 16 2015

Site is broken. I replied to email notification and received the following.  Please fix this and send me an email when complete.  We can continue discussion then.

From: codesite-noreply@google.com
Sent: Wednesday, October 7, 2015 10:46 PM
To: rshupak@gmail.com
Subject: Your message is not a reply to a notification email



The email message you sent to chromium@googlecode.com
was not processed because it was not a reply to a notification
email that we sent specifically to rshupak@gmail.com.

At most one email reporting this error will be
sent to you in a 24-hour period.

To learn more, please visit:
http://code.google.com/p/support/wiki/InboundEmail



Comment 4 by battre@chromium.org, Oct 19 2015

test

Comment 5 by battre@chromium.org, Oct 19 2015

Replying to the email works for me. If it does not for you, please use https://code.google.com/p/chromium/issues/detail?id=540525 to post responses. It should be linked in every email you get. 

Comment 6 by rshu...@gmail.com, Oct 19 2015

This web site is still broken.

From: codesite-noreply@google.com
Sent: Monday, October 19, 2015 7:40 AM
To: rshu...@gmail.com
Subject: Your message is not a reply to a notification email



The email message you sent to chromium@googlecode.com
was not processed because it was not a reply to a notification
email that we sent specifically to rshupak@gmail.com.

At most one email reporting this error will be
sent to you in a 24-hour period.

To learn more, please visit:
http://code.google.com/p/support/wiki/InboundEmail

Comment 7 by rshu...@gmail.com, Oct 19 2015

I just reproduced on Nexus 6 running Chrome 46.0.2490.76 on Android 5.1.1 build LMY48T.Make sure that under Settings/Site settings/Cookies you have Allow third-party cookies disabled.

As for repro steps, after step 4 you should still be on the earn by Microsoft site. Just tap the hamburger menu to see that Sign Out with your name will be present.

Comment 8 by battre@chromium.org, Oct 21 2015

I cannot test this anymore because Microsoft has blocked my test account. :-/

Can you check whether https://www.earnbymicrosoft.com/expirecookie?ct=99.99 is only part of a redirect chain? In this case we do not update the first party domain during the redirect chain. It is hard to debug a feature on a domain for which we don't know the business logic.

Comment 9 by rshu...@gmail.com, Oct 23 2015

I will have to check later but I am pretty 99.9% confident there is no redirect involved. It is a third party reference.  I have not debugged the script but this URL is in an array of URLs to be accessed to delete cookies on sites to which the user is signed in.

In my opinion, the flaw here is that while third party sites should not be sent cookies nor should they be able to set cookies with the Set-Cookie header, requests to delete cookies with the Set-Cookie header should succeed.

None of Chrome, Edge, IE, and Safari behave the same with third party cookies.  Well, maybe Edge and IE do but both differ from Chrome and Safari which differ from one another.  In the case of this example site, and there are others, Edge, IE, and Safari honor the deletion while Chrome doesn't.  I view this as a security issue because this site as well as others I have seen are trying to delete cookies to remove traces of the current user.  For shared devices, leaving a trace is bad.  Even for non-shared devices, users don't always use incognito, InPrivate, or whatever Safari calls it.
Cc: jochen@chromium.org mkwst@chromium.org
Jochen, Mike: What do you think of changing "Block third party cookies" so that deletions are permitted? I could see this as an option.
not in favor

i'd rather not water down the policy. I can also think of situation where this could be abused by sites (set n cookies when first party, delete a special cookie when third party depending on which first party your on, next time you visit the site first party, it can use the absence of cookies to tell which other sites you've visited)
btw, reply by email is not supported on this bug tracker.

Comment 13 by rshu...@gmail.com, Oct 23 2015

If sites wanted to track users with cookie deletion you would be seeing this already since it works with Edge, IE, and Safari.  It works with Chrome too by default since Chrome's default settings are not privacy friendly and allow third party cookies with full functionality.

I am also skeptical any site would try to track users by cookie deletion.  Since third party sites won't receive any cookies, they have to chose the cookie to delete based on no information other than the site visited now.  There would have to be a unique cookie for each and every site.  It's also impractical for the case of affiliated first and third party sites since you would use the first party site for tracking. For unaffiliated third party sites (e.g. advertisers) the user isn't visiting.  At best they would learn they served an advertisement.  And it would have to be an advertiser you visited as a first party site.

Google is the only company I remember getting caught abusing third party requests with Safari and that wasn't cookie deletion.  Do you think Google would try this again?  I can't imagine they would nor that they would try to set a separate cookie for each Google site just to delete it.
Can I close this old bug as WontFix? Per #11, my understanding is that there's no change, as deleting cookies counts as modifying them (since deleting is a way to communicate information as well), and thus is prohibited by 3P cookie blocking.

Note that we also affirmed this stance when shipping the Clear-Site-Data header; bulk deletion of cookies for an origin is not allowed when cookies are blocked: https://cs.chromium.org/chromium/src/content/browser/browsing_data/clear_site_data_handler_unittest.cc?type=cs&q="ClearSiteDataHandlerTest,+LoadDoNotSaveCookies"
Status: WontFix (was: Unconfirmed)
OK, I'm closing this per #11; that is, 3P cookie policy applies to any modification, including deletion.
If this will not be fixed, please remove Restrict-View-ChromePrivacy.
Labels: -Restrict-View-ChromePrivacy
Sure. This didn't have to be restricted in the first place, as there's nothing sensitive in the bug.

Sign in to add a comment