News

'Cookiejacking' Risk Found in Internet Explorer

According to Rosario Valotta, an Italian security researcher, a security breach of Internet Explorer could occur if a hacker hijacks session cookies from users' visits to a Web site.

In a process coined "cookiejacking" by Valotta, the stolen data can be used to carry out a zero-day attack. Successfully compromised systems can be installed with malware, send messages or forge clicks. The researcher warns that this flaw affects all versions of Microsoft’s Internet browser.

The exploit only occurs when a user drags and drops an object across the PC screen. Valotta was able to test this by creating a Facebook game where users dragged articles of clothing to reveal an undressed photo of a woman.

"I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server, " Valotta told Reuters. "And I've only got 150 friends."

To be leveraged into a zero-day attack a hacker would need to create an IFrame element in a Web site and have a user select the entire cookie. Using Valotta's Facebook demonstration as an example, the cookie would be hidden in the article of clothing object. Once a user drags the piece of clothing, this violates the browser’s cross-zone interaction policy, and allows the attacker access to the victim’s system.

To add another level of difficulty when performing this attack, the exploit involves hackers knowing a potential victim’s Windows username and which OS version is being used -- before getting the user to select the entire content of the harmful cookie.

While Microsoft is investigating the discovered flaw, Microsoft spokesman Jerry Bryant believes there is little risk of vulnerability being exploited. "Given the level of required user interaction, this issue is not one we consider high risk," said Bryant.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • New Office App Coming to Windows 10 Users

    Microsoft is delivering a new Office app for Windows 10 consumer and business users over the new few weeks, according to a Wednesday announcement.

  • Microsoft Warns .NET Core 1.0 and 1.1 Losing Support in June

    Microsoft gave notice this week that .NET Core 1.0 and 1.1 will fall out of support on June 27, 2019.

  • Microsoft Publishes Windows Deadlines on Upgrading to SHA-2

    Microsoft on Friday described its 2019 timeline for when it will start distrusting Secure Hash Algorithm-1 (SHA-1) in supported Windows systems, as well as in the Windows Server Update Services 3.0 Service Pack 2 management product.

  • Performing a Storage Refresh on Windows Server 2016, Part 1

    To spruce up some aging lab hardware, Brien decided to make the jump to all-flash storage. Here's a walk-through of the first half of the process.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.