Utilities:Scripts:Triple Dot Cookies

Triple Dot Cookies

While reading the Netscape Cookie Specification on May 6th, 1998 it occured to me that there was a vulnerabilty in their specification. By exploiting the fact that a domain with a trailing dot ('.') character is the same domain as the fully qualified domain name, and thinking recursively about their 'two dot' and 'three dot' domain sharing rules, I asked myself, what if they implemented simply dot counting without checking that there are in fact names in between the dots? In other words, would a domain name with multiple trailing dot characters be able to evade the 'two dot/three dot' limits on who they can share cookies with?

If so, then by 'bouncing' a user off your own domain with three trailing dots appended (something like 'www.nihongo.org...' and specifying a cookie domain of '...' you would be able to recover that cookie anywhere by bouncing them through a triple dot URL with whatever the domain happened to be substituted (for example: 'www.slashdot.org...').

The answer is an unqualified YES. All tested versions of the Netscape and Microsoft web browsers have proven vulnerable to this.

I have written a script that detects if a browser is vulnerable to this bug and you can TEST your own browser against it by clicking on the capitalized word TEST here. If you turn on 'notify' for your cookies you can actually watch the 'triple dot' cookie get set during the test. Press the 'back' key or button in your browser afterwards to return to this page.

In essence, this renders Netscape's and Microsoft's cookie privacy protections pretty much meaningless for virtually all users today.

Cookie Central confirmed this bug after my report to them and also has a demonstration script I wrote to show it off.

Why haven't I heard anything about this before?

Beats me. I reported the problem to Netscape representatives on May 7th, 1998. They ignored it. I reported it to 'Cookie Central' on May 14th and they emailed me about it on May 20th. They didn't report it until December 14th (to their credit, they did do a bang up job explaining the problem).