Security researcher finds 'cookiejacking' risk in IE
A security researcher in Italy has discovered a flaw in Internet Explorer that he says could enable hackers to steal cookies from a PC and then log onto password-protected Web sites.
Referring to the exploit as "cookiejacking," Rosario Valotta claims that a zero-day vulnerability found in every version of Microsoft's IE under any version of Windows allows an attacker to hijack any cookie for any Web site.
Demonstrating his findings at security conferences this month in Switzerland and Amsterdam, Valotta acknowledges that to exploit the hole, the hacker must employ a bit of social engineering because the victim must drag and drop an object across the PC for the cookie to be stolen.
But Valotta said he was able to devise the right type of challenge on a Facebook page that required people to drag and drop an object by undressing an onscreen photo of a woman, noted Reuters, thus allowing him to capture their Facebook credentials via a cookie.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," he said, according to Reuters. "And I've only got 150 friends."
From its point of view, Microsoft doesn't see much real-world risk to cookiejacking.
"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," Microsoft spokesman Jerry Bryant said in a statement sent to CNET.
"In order to possibly be impacted a user must visit a malicious Web site, be convinced to click and drag items around the page and the attacker would need to target a cookie from the Web site that the user was already logged into," added Microsoft. "We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and e-mails, as well as adjusting Internet settings to higher security levels."
Updated 8:50am PT with Microsoft statement sent to CNET.
E-mail Lance Whitney
If you have a question or comment for Lance Whitney, you can submit it here. However, because our editors and writers receive hundreds of requests, we cannot tell you when you may receive a response.
Lance Whitney wears a few different technology hats--journalist, Web developer, and software trainer. He's a contributing editor for Microsoft TechNet Magazine and writes for other computer publications and Web sites. Lance is a member of the CNET Blog Network, and he is not an employee of CNET.
