Path leaks of HTTPS side-channel by cookie injection

Abstract

The TLS protocol is supposed to provide confidentiality to communication channel, preventing active and passive network attacks. However, researchers have presented several side-channel attacks against TLS protected communications, due to protocol design flaws or implementation problems. We present a new side-channel attack against HTTPS (HTTP over TLS) by exploiting cookie injection. Taking advantage of cookie’s weak Same Origin Policy (SOP), an attacker can inject arbitrary cookies into a victim’s browser if a website is not fully protected by HTTP Strict Transport Security (HSTS), the injected cookies can then be used to infer sensitive information of encrypted traffic initiated by the victim. We show two such side-channel attacks. The first allows the attacker to identify whether the victim is visiting a known sensitive URL or not. The second is able to reveal the full path of unknown URLs visited by the victim, exploiting cookie-path matching vulnerabilities in Internet Explorer, Edge, Safari, etc. With experiments, we investigate several popular cloud storage services and demonstrate that most of them (including Google Drive and Dropbox) are vulnerable to such attacks. The issues we discovered in Internet Explorer, Edge and Safari are also acknowledged by Microsoft (MSRC Case 39133, will be fixed in future version) and Apple (Case 666783646, has been fixed). Finally, we discuss potential defense and mitigation against these attacks.