May 26, 2011

IE Security Flaw Exposes Your Cookies

An Italian security researcher has demonstrated an exploit in Microsoft's web browser that could allow remote stealing of digital credentials, or cookies, The Register is reporting.

Rosario Valotta demonstrated his "cookiejacking" proof of concept last week at the Hack in the Box security conference in Amsterdam. His hack exposes a flaw in all current versions of Internet Explorer (IE) to steal session cookies that Facebook and other websites issue once a user has entered a valid password and corresponding user name.

The cookie acts as a digital credential that allows the user to access a specific account.

This code specifically targets cookies issued by Facebook, Twitter and Google Mail, but Valotta said the technique can be used on virtually any website and affects all versions of Windows. "You can steal any cookie. There is a huge customer base affected (any IE, any Win version)."

A vulnerability was found in the security zones feature of IE that lets users separate trustworthy websites from those they don't know or don't ever want to access.

A special iframe tag is embedded into a malicious website and a hacker can circumvent this interaction causing the browser to expose cookies stored on the victim's computer.

To complete the exploit, the attacker must accomplish a variety of difficult tasks, including knowing where on the victims hard drive, the cookies are stored (it can be slightly different for various versions of Windows) and knowing the victim's Windows username. "It is complicated for the attacker but not for the victim," Valotta said.

Although a seemingly difficult task, Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook where users are challenged to "undress" a photo of an attractive woman.

"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta told Reuters. "And I've only got 150 friends."

Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam. "Given the level of required user interaction, this issue is not one we consider high risk," said Microsoft spokesman Jerry Bryant.

"In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into," Bryant said.


On the Net: