Triple Dot Cookies
While reading the Netscape Cookie Specification
on May 6th, 1998 it occured to me that there was a vulnerabilty in their specification.
By exploiting the fact that a domain
with a trailing dot ('.') character is the same domain as the fully qualified domain name, and thinking
recursively about their 'two dot' and 'three dot' domain sharing rules, I asked myself, what if
they implemented simply dot counting without checking that there are in fact names in
between the dots? In other words, would a domain name with multiple trailing dot characters
be able to evade the 'two dot/three dot' limits on who they can share cookies with?
If so, then by 'bouncing' a user off your own domain with three trailing dots appended (something like
and specifying a cookie domain of '...' you would be able to recover that cookie anywhere
by bouncing them through a triple dot URL with whatever the domain happened to be substituted (for
The answer is an unqualified YES. All tested versions of the Netscape and Microsoft web
browsers have proven vulnerable to this.
I have written a script that
detects if a browser is vulnerable to this bug and you can TEST your own browser against
it by clicking on the capitalized word TEST here.
If you turn on 'notify' for your cookies
you can actually watch the 'triple dot' cookie get set during the test.
Press the 'back' key or button in your browser
afterwards to return to this page.
In essence, this renders Netscape's and Microsoft's cookie privacy protections
pretty much meaningless for virtually all users today.
Cookie Central confirmed this bug after
my report to them and also has a demonstration script I wrote to show it off.
Why haven't I heard anything about this before?
Beats me. I reported the problem to Netscape representatives on May 7th, 1998.
They ignored it.
I reported it to 'Cookie Central' on May 14th and they emailed me about
it on May 20th. They didn't report it until December 14th (to their credit,
they did do a bang up job explaining the problem).