I was wondering whether a cookie can carry a virus (or any security-threatening code). In some sense it is similar to a download. So by simply visiting a site, could I get harmed?
-
While a website could set the cookie content to the EICAR string for a PoC I would not expect to see this in any practical use due to the cookie size restriction, differences between the cookie in transpoprt and storage, but mostly because there isn't a practical way to jump to execute any code stored in a cookie. – wireghoul Jun 06 '16 at 23:03
-
38*"[can] a cookie can carry [...] any harmful code"* Yes actually. Some people are ignorant enough to drop the contents of a cookie straight into an SQL statement without escaping or binding. That can be very bad for the vulnerable website. Probably not what you mean though. – Alexander O'Mara Jun 06 '16 at 23:06
-
83For a while I thought this was a Biology icon, and thought "surely the cooking process should have killed all the viruses" – John Dvorak Jun 07 '16 at 08:11
-
3The [EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) is a MS-DOS executable (works on DOS, as well as OSes compatible with 16-bit DOS executables such as OS/2 and 16- and 32-bit Windows) made up entirely of printable characters when viewed as ASCII. Those characters could be used as a cookie value. Does that count? – user Jun 07 '16 at 08:41
-
1@MichaelKjörling: would be interesting if you could use that to trick the client's AV into quarantining more cookies than just the ones from your site. – Steve Jessop Jun 07 '16 at 12:59
-
Cookie is a virus. You almost never know what is stored there and what it enables on your systems. – Vladislavs Dovgalecs Jun 07 '16 at 15:25
-
@xeon Do you have *any* experience in this field? A cookie is just a string of text. It can't be executed. – noɥʇʎԀʎzɐɹƆ Jun 07 '16 at 16:20
-
@JamesLu True, cookies are just plain text strings and cannot be executed. However, they can become a proxy for a wide range of malicious activities on the machine. The contents of the cookies can be reused by other applications which can take any action. There are examples of using cookies for opening ports on the computer such that Trojans can be installed http://www.bitdefender.com/support/cookie-threats-1.html – Vladislavs Dovgalecs Jun 07 '16 at 21:48
-
@JamesLu In other words, cookies enlarge the surface of attack. And this concerns me. – Vladislavs Dovgalecs Jun 07 '16 at 21:53
-
1@xeon A secure browser would encrypt cookies and since the attacker already has access to the computer he/she doesn't need any of those attack vectors. It's easy to open a new tab via a script (or in computer terms a script), and shutdown the computer. No private info is stored on cookies. – noɥʇʎԀʎzɐɹƆ Jun 07 '16 at 23:35
-
6I recommend using the five second rule with cookies. If they're still on a clean plate or tupperware, they should be ok. – Dan Jun 08 '16 at 20:20
7 Answers
You can put any text strings into a cookie, so in theory you could put some kind of code there. But for code to do any harm something needs to run it. The web browser does not interpret the content of cookies as code and does not try to run it, so cookies should not be dangerous. (If you have heard cookies being referenced in security related discussions, it is probably in relation to privacy and not viruses.)
In theory there could be a bug in the browser that makes it possible to craft a special cookie that somehow fools the browser to run it, e.g. by causing a buffer overflow. Such a bug is quite unlikely in a major browser, and if you could find one it would be considered a big deal.
So I would not worry about cookies infecting me with a virus. However it is possible to be infected by malware from just visiting a website. This is called "drive by downloads" and is nowadays a common method to spread viruses. The vector that is exploited for this is generally not cookies though, but plugins like Java or Flash.
- 64,406
- 24
- 178
- 215
-
1If it can be caused to be executed by other means, it's just as dangerous. There doesn't need to be a flaw in the browser. – OrangeDog Jun 07 '16 at 13:21
-
7@OrangeDog If *another means* can 'execute' a cookie it already has access to your system and does not need the cookie. – Jun 07 '16 at 14:17
-
1
-
@OrangeDog *Overmind*’s answer doesn’t refute what *Jan Doggen* said though. A better example would be the comment by *Alexander O'Mara*, which describes a possible situation where a person would 'execute' the (possibly malicious) contents of a cookie themselves (without some other malware being installed first). – アリスター Jun 08 '16 at 18:56
-
1The point is the malware sneaks past defences by each part alone being non-functional. – OrangeDog Jun 08 '16 at 20:20
In addition to Anders' excellent answer, there was a vulnerability in Internet Explorer 5 and 6 which allowed a malicious cookie to be set that could then read or set other sites cookie values.
Article here.
An information disclosure vulnerability related to the handling of script within cookies that could allow one site to read the cookies of another. An attacker could build a special cookie containing script and then construct a web page that would deliver that cookie to the user's system and invoke it. He could then send that web page as mail or post it on a server. When the page executed and invoked the script in the cookie, it could potentially read or alter the cookies of another site. Successfully exploiting this, however, would require that the attacker know the exact name of the cookie as stored on the file system to be read successfully.
While not a virus as such, your browser could be "infected" by this script in a cookie that the attacker could then use to compromise your browser. However, regarding the cookie here it is more about the mechanism used for the exploit rather than the browser being infected, because only malicious sites can use the cookie and it won't be invoked when benign sites are visited.
- 33,408
- 6
- 67
- 178
Cookies can only transfer TEXT values, meaning it cannot harm your computer stand-alone, but it can contain very important informations, that can be used against you if stolen. Read about Session hijacking, and you will understand what specificaly the exploiter can use it for.
- 250
- 1
- 6
-
2The [EICAR test file](https://en.wikipedia.org/wiki/EICAR_test_file) is a MS-DOS executable (works on DOS, as well as OSes compatible with 16-bit DOS executables such as OS/2 and 16- and 32-bit Windows) made up entirely of printable characters when viewed as ASCII. Granted, it isn't particularly virulent or destructive, but it *could* be carried as a cookie value. – user Jun 07 '16 at 08:40
-
6This answer ignores the possibility of a flawed implementation that is only *supposed* to read data, executing that data instead. See Anders' answer or related answers like [this](http://security.stackexchange.com/a/55073/17049) (which is about image files, but the principle is the same). – Jon Bentley Jun 07 '16 at 08:54
-
3"*Cookies can only transfer TEXT values*"; not (entirely) true.Text is just a bunch of "bytes" *interpreted* as text. You can store *any* arbitrary value in a cookie ('binary' too; it's just gibberish when represented as text). You'd only need to make sure it's escaped (or encoded) correctly. – RobIII Jun 07 '16 at 11:39
Theoretically they can, as Anders already mentioned. The "problem" is that they won't be executed by the browser. However, another software/malware on your computer could. Which would be particularly dangerous, because anti virus programs most likely won't detect the cookie or the executing software on their own when carried out in separate files.
- 1,032
- 1
- 9
- 22
-
Not only another computer. While Cookies are SUPPOSED to be mere test payload it is POSSIBLE (although extremely unlikely) that a bug in a browser could possible be used to execute a payload transmitted in a cookie. So, it actually is possible. – TomTom Jun 07 '16 at 12:57
The cookie itself does not do damage, but it may contain code used by executables. A tactic of some viruses is to store the cookie with some partial code and that code will be alter run by a virus-like application.
Example: cookie stores decryption key for an executable that bypasses initial scans due to being well encrypted. Then the .exe is using the key to decrypt itself and attempt to run.
- 8,779
- 3
- 19
- 28
-
2In such a scenario, the decryption key doesn't need to come from a cookie, but can come from any number or places. It can come from the response body of an HTTP request. Or it can use another protocol altogether, even a raw TCP request/response packet. And I guess this is widely in use with C&C type malware – aross Jun 08 '16 at 07:49
-
1That implementation would be error-prone, as cookie storage mechanisms change between browsers and even browser versions. It's so much easier to put the key in the executable itself. – Dmitry Grigoryev Jun 08 '16 at 14:34
The short answer, albeit deceiving without the long answer: Yes, a cookie can carry a virus. Yes, it is possible to get such a virus by merely visiting a website delivering the cookie.
In the above paragraph, replace "a cookie" with "any file, data, or anything else," and replace "visiting a website" with "possessing," and the statement still holds true.
The questions "Can I get a virus from X?" or "Can doing Y give me a virus?" are naïve questions (naïve, but not ignorant if you enlighten yourself). This is because any file, any data, any action has the potential to contain/transfer/catch a virus. Anything at all. There have been viruses which have been transferred in JPGs merely by having them be visible on your monitor, and there have been viruses transferred in Windows shortcut files merely by possessing the infected shortcut in a folder that has been opened. It has also happened in the past that computer users have caught viruses merely by being connected to a network, without actually doing anything to download/view/interact-with a virus, since it is possible for a cracker to gain access to your computer without you actively doing anything.
That's the doom and gloom (yet true) answer. Analogy: It's like a real virus - you can catch a deadly virus merely by standing a dozen (or more, for some of them) feet away from an infected person breathing a virus out. You don't have to actually do anything to die from it. It's sort of similar with computer viruses.
Just as with dying because you are standing 20 feet from the bus stop, getting a virus on your computer while surfing smart is so unlikely that you should not worry about it.
The kind of examples I gave above require critically severe security holes in the software that you use. As long as you use trusted software and keep it up to date, you are usually fine. Usually.
The problem is that a security hole in software is generally not known. If people knew about it, then it would (hopefully) get fixed soon; that's one of the reasons to update your software. Since the holes are not known, none of us can say what is or is not safe, since a cracker can stumble upon the next big security hole and abuse it at any moment, and it can literally be anywhere. Heck, it could be in a malformed website address for all anyone knows, and nobody can reasonably claim otherwise (though I will be the first to say it's highly doubtful).
But don't let this turn you into a frightened hermit. Worrying about the next big security hole is like worrying that the next meteor is going to land on your head - again, possible but not likely.
Now if we ask a different question: I'm concerned about getting malware; is it unsafe to visit websites that give me cookies if I'm using a major, modern browser that is kept up to date? Then the answer is "No, it's not unsafe and you're not likely to get any malware. There are privacy concerns with cookies, but that's not related and won't harm your computer. If you're interested in the privacy concerns, either Google 'computer cookie privacy' or ask another question about that."
- 168
- 4
-
2Yes, this answer was a bit of a rant and contains no citations or technical information. However, I did not see any other answers so far which really got at the heart of the matter here. I won't be offended if someone goes and fetches the details and writes up basically the same answer but better than I've done; in fact I think that would be great. – Aaron Jun 07 '16 at 20:50
-
I think your first two paragraphs are very misleading. Cookies cannot be considered the same as "any file" – Matt Wilko Jun 08 '16 at 09:46
-
@MattWilko I think you are missing the point of those paragraphs then - though maybe that's my fault. The point is that _anything_ can contain malware. Any file, data, action, anything. To say otherwise is actually what's very misleading, hence my answer since I didn't see any others make the point properly. Still, I'm not sure what you mean by "the same as any file." – Aaron Jun 08 '16 at 14:41
The question of whether or not cookies can be dangerous or spread viruses has to do with whether or not a file is an "executable" one. In theory, if an executable cookie was set with malicious contents, then it is possible that it could affect your computer with a virus and open a proverbial can of worms. This is a fairly rare occurrence and one that I have personally not seen - but entirely possible under the right circumstances.