Too Much Sharing, Too Little Security: Authentication Cookie Theft At Scale

Web browsers store cookies to save a user's authentication status. Sharing these authentication cookies across subdomains, a common practice for user convenience, creates a critical session hijacking vulnerability. When cookies for a parent domain are sent to all subdomains, an attacker who compromises any single subdomain can intercept them. Using these stolen cookies, the attacker can impersonate users across all other services hosted on the domain. We conduct the first ethical, large-scale evaluation of authentication cookie leakage to compromised subdomains caused by insecure cookie scoping, a vulnerability we call ''CookieDrift''. We develop a novel, non-intrusive, and ethical method to detect CookieDrift by simulating a hijacked subdomain and recording all leaked cookies. From a list of over 2,500 popular domains with accounts, 57.98% (1,472) are vulnerable to cookie theft. Of these, 45.45% (669 domains) are immediately exploitable through subdomain takeover attacks. We find evidence of active, real-world hijacks affecting 186 domains and discover authentication cookies from these domains in darknet leaks using ''CookieDelta'', a new filtering technique we developed to isolate authentication-relevant cookie names. We investigate root causes of insecure cookie sharing by reviewing RFCs and major authentication frameworks and conclude: Defaults are secure, but examples encourage excessive cookie sharing caused by limitations in RFC 6265. We propose countermeasures that preserve backward-compatibility and ease-of-use while enabling finer-grained control over cookie propagation. We include two key artifacts: a locally running web application, ''DeltaInterceptor'', for testing any website's vulnerability to CookieDrift as well as computing CookieDelta, and a sanitized dataset of all recorded cookies.