News

'Cookiejacking' Risk Found in Internet Explorer

According to Rosario Valotta, an Italian security researcher, a security breach of Internet Explorer could occur if a hacker hijacks session cookies from users' visits to a Web site.

In a process coined "cookiejacking" by Valotta, the stolen data can be used to carry out a zero-day attack. Successfully compromised systems can be installed with malware, send messages or forge clicks. The researcher warns that this flaw affects all versions of Microsoft’s Internet browser.

The exploit only occurs when a user drags and drops an object across the PC screen. Valotta was able to test this by creating a Facebook game where users dragged articles of clothing to reveal an undressed photo of a woman.

"I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server, " Valotta told Reuters. "And I've only got 150 friends."

To be leveraged into a zero-day attack a hacker would need to create an IFrame element in a Web site and have a user select the entire cookie. Using Valotta's Facebook demonstration as an example, the cookie would be hidden in the article of clothing object. Once a user drags the piece of clothing, this violates the browser’s cross-zone interaction policy, and allows the attacker access to the victim’s system.

To add another level of difficulty when performing this attack, the exploit involves hackers knowing a potential victim’s Windows username and which OS version is being used -- before getting the user to select the entire content of the harmful cookie.

While Microsoft is investigating the discovered flaw, Microsoft spokesman Jerry Bryant believes there is little risk of vulnerability being exploited. "Given the level of required user interaction, this issue is not one we consider high risk," said Bryant.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.