Cookie Monster Updates

HTTP Cookie Bug Affecting Servers On Non-Generic Domains

I'll try and keep this page updated with the goings on around the world.. who's investigating, who's writing news articles, whatever. Dates and times are local to New Zealand (NZ Daylight Time), and they might be a little after the event as I'm miles behind in checking my email (as you can imagine).


3 February

The German technology website Internet Intern has published an article about Cookie Monster.

12 January

After a call from Brazilian reporter Andres Bueno this morning, Info Exame Online has published an article about the bug. If you can't speak Portuguese you might want to have it translated. Because its not English, unfortunately its difficult for me to judge the technical accuracy of the article.


29 Dec

Microsoft have investigated the issue, and responded properly:

"Wanted to follow up with you regarding the cookie issue that you brought up. The IE development team wanted me to pass along their thanks for the detailed write-up on your web page; it made it very easy to understand the issue. They're developing a plan for resolving the issue, and will implement it as part of IE5."

I'll look forward to seeing what IE5 does to curb this problem (and hopefully others regarding cookie security), considering the specification itself is also flawed. Now if only Netscape would at least acknowledge that they got my emails - I've not heard anything from them.

25 Dec - Merry Christmas!

15.34 - Keith Dawson from Tasty Bits from the Technology Front has made this bug Tasty Bit Of The Day. Thanks Keith, for the mention and for the compliments that went with it!

16.00 - Cookie Central have updated their cookie exploit page with a link to cookiemonster. The attitude of Cookiecentral seems to be that cookiemonster is just an extension of the '...' vulnerability - but we believe it is more flexible as you still go to www.company.co.nz for example, and the cookie is returned on all .co.nz requests.

24 Dec

08.30 - Thanks to the people who've been telling me about other susceptible browsers. Better fix that NGLayout, eh! Could someone try any browser on a Mac please?

10.15 - It has been suggested by one ISP security manager that the implications for web-based banks should be investigated.

14.00 - Well, the trained mammals at the wonderful Slashdot.org seemed to take it seriously. Take a look. Since the article went up, I've had quite a number of reports from other OSs and version numbers which are vulnerable (as expected). Thanks!

14.50 - First response from Microsoft. "Thanks very much for your note. I was not able to reproduce the effect that you described on my machine (Windows 2000 beta 2 running IE 5), but I will ask the IE development team to try other versions of IE. Will let you know what I learn." Umm, right.

19.30 - Scripts have been moved to two servers in the Australian .edu.au domain. Thank you very much to Daniel Austin for hosting the scripts!

23 Dec

Site Launch, Preannouncements

This site is launched, explaining our findings and providing a working demo. Only a few people were notified, at this point. Understandably, we are still very cautious about making this public - it affects almost all browsers, and probably has for many years. How could it go for that long without being noticed? Amazing.

Later on I cautiously posted a message to comp.security.misc, and on a mailinglist.

22 Dec

First Discovery

First noticed unusual behaviour with cookies, began to investigate in collaboration with colleague Arun Stephens.