News

'Cookiejacking' Risk Found in Internet Explorer

According to Rosario Valotta, an Italian security researcher, a security breach of Internet Explorer could occur if a hacker hijacks session cookies from users' visits to a Web site.

In a process coined "cookiejacking" by Valotta, the stolen data can be used to carry out a zero-day attack. Successfully compromised systems can be installed with malware, send messages or forge clicks. The researcher warns that this flaw affects all versions of Microsoft’s Internet browser.

The exploit only occurs when a user drags and drops an object across the PC screen. Valotta was able to test this by creating a Facebook game where users dragged articles of clothing to reveal an undressed photo of a woman.

"I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server, " Valotta told Reuters. "And I've only got 150 friends."

To be leveraged into a zero-day attack a hacker would need to create an IFrame element in a Web site and have a user select the entire cookie. Using Valotta's Facebook demonstration as an example, the cookie would be hidden in the article of clothing object. Once a user drags the piece of clothing, this violates the browser’s cross-zone interaction policy, and allows the attacker access to the victim’s system.

To add another level of difficulty when performing this attack, the exploit involves hackers knowing a potential victim’s Windows username and which OS version is being used -- before getting the user to select the entire content of the harmful cookie.

While Microsoft is investigating the discovered flaw, Microsoft spokesman Jerry Bryant believes there is little risk of vulnerability being exploited. "Given the level of required user interaction, this issue is not one we consider high risk," said Bryant.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus