Towards Browser Controls to Protect Cookies from Malicious Extensions

Cookies provide a state management mechanism for the web and are often used for authentication, storing a user's session ID, and replacing their credentials in subsequent requests. These ``session cookies'' are valuable targets of attacks such as Session Hijacking and Fixation that attempt to steal them and gain unauthorized access to user accounts. Multiple controls such as the Secure and HttpOnly cookie attributes restrict cookie accessibility, effectively mitigating attacks from the network or malicious websites, but often ignoring untrusted extensions within the user's browser. Extensions are third-party HTML/JavaScript add-ons with access to several privileged APIs and can run on multiple websites at once. Unfortunately, this can provide malicious/compromised extensions with unrestricted access to session cookies. In this work, we first conduct a study assessing the prevalence of extensions with these ``risky'' APIs (i.e., those enabling cookie modification and theft) and find that they are currently used by hundreds of millions of users. Motivated by this, we propose browser controls based on two new cookie attributes that protect cookies from malicious extensions: BrowserOnly and Tracked. The BrowserOnly attribute prevents accessing cookies from extensions altogether. While effective, not all cookies can be inaccessible. Cookies with the Tracked attribute remain accessible, are tied to a single browser, and record any modifications made by extensions. Thus, stolen Tracked cookies become unusable outside their original browser and servers can verify any modifications. To demonstrate these features' practicality, we implement CREAM (Cookie Restrictions for Extension Abuse Mitigation): a modified version of Chromium realizing these controls. Our evaluation indicates that CREAM controls effectively protect cookies from malicious extensions while incurring small run-time overheads.