Microsoft latest security risk: "Cookiejacking"

BOSTON Wed May 25, 2011 6:16pm EDT

Related Topics

BOSTON (Reuters) - A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.

He calls the technique "cookiejacking."

"Any website. Any cookie. Limit is just your imagination," said Rosario Valotta, an independent Internet security researcher based in Italy.

Hackers can exploit the flaw to access a data file stored inside the browser known as a "cookie," which holds the login name and password to a web account, Valotta said via email

Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique "cookiejacking."

The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.

To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC's screen before the cookie can be hijacked.

That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to "undress" a photo of an attractive woman.

"I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends."

Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.

"Given the level of required user interaction, this issue is not one we consider high risk," said Microsoft spokesman Jerry Bryant.

"In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into," Bryant said.

(Editing by Steve Orlofsky)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (3)
VanGuy44 wrote:
Actually this article is somewhat misleading. Knowing how to cookiejack, I can say that it really comes down to proper website design. Facebook and other websites have (hopefully) designed security in more ways than a simple cookie. But all you need to hijack a Facebook session is a simple wireless card in an insecure wireless hotspot.

May 25, 2011 8:31pm EDT  --  Report as abuse
LuoBoTi wrote:
80 male friends and 70 female?

May 26, 2011 10:41am EDT  --  Report as abuse
1progressive wrote:
The article states that the cookie “holds the login name and password to a web account.” This is not accurate. The cookie stores a key that authenticates a user for the session, after the user has logged in to a website. That’s why stealing the cookie can allow the hacker to be authenticated. It’s an important distinction, because cookies should never store a password: that would be bad security practice indeed.

May 26, 2011 10:59am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.