New issue
Advanced search Search tips

Issue 782112 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Nov 2017
Cc:
elawrence@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Some websites use cookies without SECURE and HTTPOnly attributes

Reported by natnaelf...@gmail.com, Nov 7 2017 
flags are missing in the cookie (1P_JAR,Secure),(NID, HttpOnly)

Secure flag is not set on the cookie, the browser will send it over an unencrypted channel (plain HTTP) if such a request is made. Thus, the risk exists that an attacker might intercept the clear-text communication between the browser and the server and he will steal the cookie of the user. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.


Lack of the HttpOnly flag permits the browser to access the cookie from client-side scripts (ex. JavaScript, VBScript, etc). This can be exploited by an attacker in conjuction with a Cross-Site Scripting (XSS) attack in order to steal the affected cookie. If this is a session cookie, the attacker could gain unauthorized access to the victim's web session.

Comment 1 by elawrence@chromium.org, Nov 8 2017

Components: Internals>Network>Cookies
Labels: Needs-Feedback
This does not represent a security vulnerability in Google Chrome. Chrome supports the flags mentioned (Secure, HTTPOnly) as well as other flags relevant to security.

Are you attempting to report a vulnerability in a specific website? If so, which site?

Comment 2 by est...@chromium.org, Nov 8 2017

Labels: Security_Impact-None

Comment 3 by elawrence@chromium.org, Nov 8 2017

Cc: elawrence@chromium.org
Status: WontFix (was: Unconfirmed)
Summary: Security: Some websites use cookies without SECURE and HTTPOnly attributes (was: Security: insecure HTTP cookies)
Given mention of a cookie named "NID", it's possible that you're discussing a cookie sent by a Google website. Google websites use cookies as described here: https://www.google.com/policies/technologies/types/

Google teams are typically very well aware of the security properties of cookies and set the strictest security directives available to satisfy the use case for each cookie.

With that said, if you believe you've found a cookie that leaks sensitive data over a non-secure channel, please feel free to report the bug via the process described here: https://sites.google.com/site/bughunteruniversity/

If you were attempting to report a problem with a non-Google website, please contact them directly.
Project Member

Comment 4 by sheriffbot@chromium.org, Feb 15 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment