Who Left Open the Cookie Jar? presented at BlackHatAsia2019 2019

by Tom Van Goethem, Gertjan Franken,

Summary : Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. Although protected by the Same-Origin Policy, popular browsers include cookies in all requests, even when these are cross-site. Unfortunately, these third-party cookies enable both cross-site attacks and third-party tracking. As a response to these nefarious consequences, various countermeasures have been developed in the form of browser extensions or even protection mechanisms that are built directly into the browser.In this presentation, we elaborate on our study in which we evaluated the effectiveness of these defense mechanisms by creating a framework that automatically evaluates the enforcement of the policies imposed to third-party requests. By applying our framework, which generates a comprehensive set of test cases covering various web mechanisms, we identified several flaws in the policy implementations of the 7 browsers and 46 browser extensions that were analyzed. We find that even built-in protection mechanisms can be circumvented by the multiple novel techniques we discovered. Furthermore, our results show that for every anti-tracking or ad-blocking browser extension, there exists at least one technique to bypass its defenses. Based on these results, we argue that our proposed framework is a much-needed tool to detect bypasses and evaluate solutions to the exposed leaks. Finally, we analyze the origin of the identified bypass techniques, and find that these are due to a variety of implementation, configuration and design flaws.