Cookie Modification Vulnerability in Android Browser

CVE-2008-7298

Summary

The Android browser lacks adequate restrictions on cookie modifications within HTTPS sessions. This insufficiency allows man-in-the-middle attackers to overwrite or delete cookies using a Set-Cookie header in HTTP responses. The vulnerability stems from missing implementation of the HTTP Strict Transport Security (HSTS) feature to include subdomains, leading to potential unauthorized cookie changes during user sessions.

References