Experts from the Computer Emergency Response Team (CERT) issued a report showing that the way to recording and the use of text for cookie files is not safe at this in all modern web browsers.The reason for this is the improper use of the standard RFC 6265, which describes how to work with text cookies. In particular, the problem is the following: obtained by simple HTTP request cookie files can be marked as protected by the raised flag secure flag. According to the standard, like cookie should only be used in a secure HTTPS connection.
Experts have noticed that almost all modern browsers use any cookie files during a secure HTTPS session, but does not check where they came from (cookie forcing). Accepted and "protected" text cookies previously injected into the system. It is thus possible to carry out man-in-the-middle attack, by integrating fake cookie of the HTTP request, which will be disguised as a cookie on legitimate sites. Such replacement is too difficult to be noticed. The problem was spotted in August this year and now all browsers are protected against this vulnerability. But they are vulnerable to all previous versions of browsers Safari, Firefox, Chrome, Internet Explorer, Edge, Opera and Vivaldi.