up vote 13 down vote favorite
2

I recently noticed a penetration test report wherein the non-compliance of the European Union (EU) cookie law was stated as a finding under an "other" category. I consider this more of a legal, privacy-related matter and not so much security.

Why would this be in a penetration test report? Are there possible security-related concerns that I'm not aware of?

share|improve this question
  • 6
    How was the scope of the penetration test defined? Or in other words: Is a finding like this acceptable within the defined scope? – Tom K. yesterday
  • 19
    I personally know of no security issue that results out of this. It was probably more of a nice-to-know finding for you (or the client), that's probably why it was under "other". – Tom K. yesterday
  • 24
    "finding vulnerabilities, weaknesses, and other security-related issues" If the use of the cookie was/is in non-compliance with EU law, it could leave you vulnerable to prosecution. I see no reason for it not to be in a pen-test report (unless specifically excluded). – TripeHound 23 hours ago
  • 2
    @TripeHound To be fair, that wording heavily suggests that they are talking about security "vulnerabilities and weaknesses". Being liable to prosecution from EU regulations isn't a security vulnerability, it's a legal vulnerability. Not to say I'd argue about being given that information; but it still does sound questionable that aligning with EU regulation is relevant to their security. – JMac 19 hours ago
  • 5
    @TripeHound If you're going to interpret the words that widely, then "Tracy hasn't had a 'flu vaccine" is a vulnerability and "James can only bench-press 30lbs" is a weakness. – David Richerby 19 hours ago
up vote 29 down vote

I don't know of any technical security impact relating to not adhering to EU cookie laws.

Ultimately I think this is mostly down to the discretion of the assessor and the context of the assessment. Privacy issues are security-adjacent and come with similar PR impacts, and may even be judged to infringe upon the rights of the individual, so I think in some cases such findings may be useful.

For me the question isn't so much whether these things should be reported to the client, as whether or not they should be in the pentest report itself. There are other communications channels that can be used to relay this information. It may well be that this was discussed and the client asked that it be put into the report. It could even be that compliance concerns were one of the key drivers to having the assessment done in the first place. Some scopes explicitly include looking for findings that might embarrass the company or its associates (content injection is a fun one here).

I have reported everything from functionality problems to typos (albeit serious ones with vulgar consequences) to clients when doing pentesting work, when appropriate, because ultimately my job is to help improve their system. I don't think it hurts to include this kind of thing in a report because it can always be removed and filed separately at the client's request.

share|improve this answer
  • 2
    The "technical security impact" is that the user's data is being retained and utilized in a way they have indicated they do not allow. Just because you do not consider it as dangerous as login credentials being at-risk does not mean that privacy != security. – New Alexandria yesterday
  • 2
    @NewAlexandria : To be precise "... in a way they have not indicated they allow". It is much more likely that the website is failing to ask permission to store cookies than that the website has asked, been denied permission, and is doing it anyway. – Martin Bonner yesterday
  • 1
    @MartinBonner when the user is in the EU, the site cannot implicit track even though the user has not been given the ability to indicate their preference. – New Alexandria yesterday
  • 3
    @NewAlexandria : Yes I know that. However there is a difference between "indicated they do not allow" and "not indicated they allow". Legally they have to be treated the same, but morally (and when it comes to sentence), they are different. – Martin Bonner 23 hours ago
  • 1
    It occurs to me, you may not be a native English speaker. "indicated they do not allow" is "forbade"; "not indicated they allow" is "not (yet) actively permitted" – Martin Bonner 23 hours ago
up vote 13 down vote

A vulnerability is something that leaves you open to the possibility of being harmed. Being prosecuted or sued for violating the law is a form of harm. Therefore, not complying with the law is a vulnerability. It really is this simple.

share|improve this answer
  • 3
    The question is whether it is appropriate to be in scope in a pentest report. – schroeder 22 hours ago
  • 3
    @TomK. being sued could harm the organization, particularly if it's a legitimate lawsuit - I don't see how that's much of a stretch – user2813274 21 hours ago
  • 3
    @TomK. You don't think a lawsuit or government investigation is an unwanted incident which may result in harm to an organization? – David Schwartz 19 hours ago
  • 3
    @JMac Security is the state of not being vulnerable to threats. Threats are potential unwanted incidents that expose you to harm. Bluntly, this is absolutely basic stuff and it's very hard to tell if you're being serious. To me, as a security professional, this question is shocking. – David Schwartz 19 hours ago
  • 3
    @JMac Yes, they are. They work with compliance and legal as necessary. IT is responsible for detecting and mitigating threats that have an IT component, as compliance with cookie-handling regulations does. I can't imagine offhand a sexual harassment issue with an IT component, but if there was, IT would be partially responsible for responding to it. – David Schwartz 17 hours ago
up vote 5 down vote

This is a security issue for the users.

Non-compliance of cookie-related laws includes that cookie data is being built about you while on the site, after you have clicked 'opt-out'. If the site does not acknowledge the GDPR (privacy laws) then some degree of personal identifying information about the user is being leaked into the site's domain, stored, and used in ways that amount to tracking. This includes:

  • if a banner pops-up saying that cookies are being used and "click OK to accept"
  • if no notification is made to the user, but tracking is performed
  • if no option nor preferences are given to the user, yet tracking is performed.
  • and others

Cookies are one obvious thing to test for, and it is perhaps the only reliable way to test for tracking, since backend techniques would be invisible unless a specific personalization feature remains consistent across pageviews

For some corp's that I have been part of, some lawyers argue that cookies are not illegal as long as they do not connect session data with a personal identifier.

Regardless, this would be a likely vector for errors or misrepresentation, and thus I would expect it to show up in a report dealing with user security.

tl;dr: people don't seem to understand user privacy is a security issue for the user.

share|improve this answer
  • 1
    Comments are not for extended discussion; this conversation has been moved to chat. – Rory Alsop 5 hours ago
  • @RoryAlsop this answer is incorrect; it asserts that compliance with the EU cookie law improves user privacy when it patently does no such thing, since compliance is usually achieved through a boilerplate "consent" banner that gives the user no real information and no possibility of opt-out besides leaving the site. How does shifting that objection into chat help future readers? The fact that the answerer chose to respond to criticism with a long chain of accusations and personal insults should not give him the right to have the site censor comments pointing out that his answer is wrong. – Mark Amery 3 hours ago
  • 1
    @MarkAmery They are not censored, merely moved to chat. I agree the answer is completely wrong, so I have downvoted, which is the correct recourse. – Rory Alsop 3 hours ago
  • The number of other users that have responded the same kind of answer as me should be your first clue that this answer isn't wrong. Others not understanding EU law doesn't make us all wrong. Not understanding my replies (now moved to chat) doesn't make my replies into "accusations and personal insults." ..and your comment recites a (broadly used) paper tiger solution that does not protect the security of user information under GDPR. – New Alexandria 44 mins ago
up vote 0 down vote

Non-compliance to the law means that the site must be fixed. The GDPR in particular is not an "optional" law where you can accept the fines for a breach.

So it is likely that the site must be fixed. But the GDPR deadlines are tight. Many companies have realized that they need to start early. For others, like this case, it will be a rush job. And the experience with rush jobs is that at best you get what's requested. So here, last-minute changes to the site may not go through extensive security review as GDPR compliance takes precedence.

As an example, the GDPR gives customers the right to review their own data. A rushed implementation may give customers the right to review other data, including company-sensitive data and data from other customers. That is a definite security issue. Therefore, the need to hurry with GDPR compliance is correctly identified as a risk factor.

share|improve this answer
  • Another good dimension on an apparently-subtle issue – New Alexandria 22 hours ago
  • 5
    Why do answerers keep mentioning GDPR? The GDPR is not the "EU Cookie Law" - that's the ePrivacy directive. The EU's page on cookies doesn't even mention the GDPR. I freely admit that I have close to zero knowledge of these laws, but as far as I can see this answer simply has no relevance that to the question that was asked. If I'm wrong, explaining how the GDPR (or, frankly, anything to do with actual user privacy) is relevant to the cookie law would help clarify why. – Mark Amery 20 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.