back to article Newfangled cookie attack steals/poisons website creds

A security researcher has discovered a weakness in a core browser protocol that compromises the security of Google, Facebook, and other websites by allowing an attacker to tamper with the cookies they set. The weakness stems from RFC 2965, which dictates that browsers must allow subdomains (think www.google.com) to set and …

COMMENTS

This topic is closed for new posts.
  1. bell
    Paris Hilton

    Surely some of this is easily avoided

    While tampering with session cookies is definitely an issue, although not an insurmountable one, the javascript injection is really avoidable. Memo to expedia: Cookie content is NOT trusted data.

    Paris, 'cos even she's not as wide open as reports suggest.

  2. Pascal Monett Silver badge

    Just one question

    Is Firefox concerned by this exploit or not ?

  3. Anonymous Coward
    Anonymous Coward

    Am I missing something here?

    Cookie data is effectively user input. Any web app that doesn't sanitise user inputs gets what it deserves. Even if some student's project is insecure, that's no excuse for fuck ups elsewhere.

  4. Frank Bitterlich
    Megaphone

    Stop the press...

    Whoa, you mean that messy security on subdomain.mydomain.com can affect mydomain.com, too? Now that's a _whole_ new concept!

    (For those from Beteigeuze, now's the right time to switch on your irony detector.)

  5. Stevie

    Bah!

    So my navel-lint blog is compromised?

    Noooooooooooooooooooooooooooooooooooooo!

This topic is closed for new posts.