Security of clearing down cookies in IE

Hi,

I've been asked to analyse an old web app which stores sensitive information in cookies rather than sessions/similar. (To be precise, it's classic ASP and uses cookie families). The only clients are IE 6/7/8

After the process in question has been completed on the web app, the cookies are cleared down.

The question I need to answer is: once this has happened, how hard would it be for someone to recover the information in the (deleted) cookies?

My understanding is as follows but I would appreciate some confirmation / any additional issues anyone can think of.

The cookies shouldn't be intercepted across the network as they're passed via SSL. They could be viewable in server memory/log files (the app has v. comprehensive logging)/memory dumps (?)

On the client, the cookies are stored in a text file. When the cookie is cleared down, the text file is deleted.

Although the file could be recovered by undeleting it, I believe this is encrypted by ie when it's first written? (I can't test this on ie6 but it seems to on ie7 for http and https)

Assuming it IS encrypted, can anyone confirm how secure this is?

I'm also looking into how the cookies are stored in memory and how easy it would be to retrieve them - Any advice on this would also be appreciated.

The cookies are used to access a database but again, all connections use SSL so this shouldn't be an issue. The database is locked down.

I can't see any other ways of an unauthorised user accessing the cookie contents. What - if anything - am I missing?

We're likely to change the mechanism used anyway but I do need to provide a clear list of vulnerabilities for the current system before we can proceed (to make sure they're all addressed).

Many thanks for any help you can provide.

Storing sensitive information is the vunerability, this means that one way or the other your system can be attacked by stealing information in these files.

The attack is most likely to come from the client side (if your server can be attacked that's already a problem). The only question is how the cookie can be retrieved from the client machine. Since you're using https this only leaves for someone accessing the cookie on the client machine. The vulnerability lies here. All browsers store cookies on the disk and I would doubt they encode them (why would they?). I would look into how IE7, Firefox, Google Chrome and Safari store these cookies but probably not in a really secure way. The biggest vunerability is probably here: if someone writes a program to collect this data and is able to deploy it.

If I were you I would change the application to use sessions instead cookies ASAP. The longer you wait, the bigger the risk that someone can access these credentials.

Yeah I'm pushing for this ASAP. Being in a large company, they're very slow to respond to change and there's a tendency to want to change nothing as change = risk. Someone else has already signed this off as "Safe" which is a tad worrying - Hence wanting to find all the issues with the existing system to disprove the earlier analysis and force change ASAP.Thanks for your answer

Basiclife 2009-11-20 17:22:33

In this case I think you should try to see where FF, Chrome, Safari or Opera store cookies and if they encrypt them (hence you've checked IE already). If they don't or in a way that's easy to decode, you can simply demonstrate how to steal someone's password by e.g. sitting to the same computer, emailing the cookie to yourself and decoding it. Whola, you've just shown how to commit identity theft due to the poor design of the system.Good luck with pushing a new solution off the throat of the company! :)

Gergely Orosz 2009-11-21 09:46:26

Many thanks, I'll do that

Basiclife 2009-11-23 14:53:34

ansaurus

tags:

views:

answers:

Security of clearing down cookies in IE

related questions