Executive Summary

Title Web sites may transmit authentication tokens unencrypted
Name VU#466433 First vendor Publication 2007-09-07
Vendor VU-CERT Last vendor Modification 2007-10-03
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#466433

Web sites may transmit authentication tokens unencrypted


Web services that rely on cookies for authentication may be vulnerable to an authentication bypass vulnerability.

Some web sites transmit authentication material (often cookies) without encrypting the entire session, even when the authentication material is initially set over an encrypted HTTP session. This behavior could allow an attacker on the network path to obtain authentication material and impersonate a legitimate user. Sites that set authentication cookies over https during login and then later transmit the cookies over HTTP are particularly vulnerable, since users are more likely to think that the security of the login page applies to the entire session.

I. Description

HTTP cookies are text that is sent to a client web browser from a server. Cookies are transmitted back to the server from the client's browser when the client accesses the web site.

Some web sites may authenticate users with a username and password, create a cookie with a unique identifier (a shared secret), then answer future authentication requests with the cookie. To increase security, the web site may delete the cookie when the user logs out, enable the optional "Secure" attribute for the "Set-Cookie" response header, or have the cookie to expire after a specific date. Web browser toolbars or extensions may also send authentication credentials (cookies) to web sites or services.

Web sites that use cookies for authentication over plain text protocols like HTTP are vulnerable to an authentication bypass vulnerability, even if the initial login credentials are sent to the server using an encrypted protocol. If an attacker can intercept traffic that contains the cookie, the attacker may be able to replicate or replay the cookie that is being used as authentication credentials. In particular, sites that provide "software as a service" are often affected by this type vulnerability.

Null encryption is a valid option when using HTTPS according to the original SSL specifications. We are unaware of any vendors that implement the HTTPS protocol that do not use encryption.

II. Impact

A remote unauthenticated attacker who can intercept traffic that is destined to an affected web site may be able to take any action on the web site that the legitimate user can.

III. Solution

There are a number of options that can mitigate this type of vulnerability. Please see the Workarounds and Systems Affected sections of this document for more information, including information about specific vendors.

Workarounds for users

  • Accessing the web site using encrypted HTTPS may mitigate this vulnerability. Note that the entire session, not just the initial username and password, will need to be encrypted . For this workaround to be completely effective, the secure attribute must be set on the cookie.
  • Logging off from the web service may reduce the amount of time an attacker has to obtain credentials and exploit unprotected services.
  • Users who can encrypt sensitive data locally by using PGP or GnuPG, password protected ZIP files, or other types of encryption before storing it on a web site may be able restrict what information an attacker can obtain by exploiting this vulnerability. Note that this workaround may not be feasible for all services offered by all vendors.
  • Evaluate the risks of accessing vulnerable sites before using the services while connected to untrusted networks.
Workarounds for vendors
  • Provide the ability for users to access the site using HTTPS, or at a minimum only transmit authentication credentials over HTTPS. For this workaround to be completely effective, the secure attribute must be set on the cookie. See section 4.2.2 of RFC 2109 for more details.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable6-Sep-2007
salesforce.comNot Vulnerable12-Sep-2007
Yahoo, Inc.Vulnerable1-Sep-2007




Information about this vulnerability was released by Erratasec.

This document was written by Ryan Giobbi and Dean Reges.

Other Information

Date Public09/07/2007
Date First Published09/07/2007 01:18:44 PM
Date Last Updated10/03/2007
CERT Advisory 
CVE Name 
Document Revision98

Original Source

Url : http://www.kb.cert.org/vuls/id/466433