Cookies are a fundamental part of our everyday web access. We take them for granted and freely give websites access to relevant “cookies” in our browsers because they dramatically enhance our user experience. Cookies are considered “persistent” if they last beyond a single browser session. Persistent cookies remain in your browser until you explicitly erase them or your browser deletes them after a given duration (set by the site using the cookie).
Typical examples of websites that use persistent cookies are your favorite webmail sites like Gmail and Yahoo!. They use use persistent cookies to remember you, so you don’t have to log in every time you go to get your email.
Description of Vulnerability in Apple OSX and its Potential Impact
Zscaler discovered a vulnerability in Apple’s recent OS X version (El Capitan), which enabled applications that did not have the appropriate privileges to access cookies stored in the Safari browser. This access could result in a malicious application lifting all the persistent cookies for a given user and accessing sites posing as that user. In the case of email (like those of the sites mentioned above), it could result in a malicious application getting access to all your email. Worse, it could gain access to a site that stores more personal and confidential information about you.
Apple Releases Patch to Fix Vulnerability
Today, Apple released a new update to El Capitan v10.11.6 with Security Update 2016-004 that addresses this vulnerability. More details of the release are here.
Additional Information on Persistent Cookies
The use of persistent cookies is growing steadily. As of July 2016, 23.6 percent of all websites use persistent cookies. While 38.6 percent of these sites use cookies that expire in hours, more than 60 percent of sites use cookies that expire in days or months.
Some popular sites using persistent cookies include the following:
- Youtube.com
- Baidu.com
- Wikipedia.org
- Amazon.com
- Google.co.in
- Twitter.com
- Msn.com
- Google.co.jp
- Yahoo.co.jp
- Linkedin.com
More information on websites using persistent cookies can be found at w3techs.com.
Stay up to date on the latest threats and trends by reading posts from the Zscaler Research Team’s blog.