AfterDawn: Tech news

Researcher details 'Cookiejacking' flaw in Internet Explorer

Written by James Delahunty (Google+) @ 26 May 2011 15:04 User comments (1)

Researcher details 'Cookiejacking' flaw in Internet Explorer An independent researcher has demonstrated a flaw in Internet Explorer that he says can be used to steal access credentials to Facebook, Twitter and hoards of other sites.
He calls the technique "cookiejacking", as it relies on the cookie information stored by the web browser to keep users access credentials and other information for certain websites. Depending on many conditions, stealing cookie credentials (which is by no means a new attack method) could allow a hacker to access the account of a victim on a certain website.

In this case, the Italian researcher, Rosario Valotta, finds that to exploit the flaw, you need to persuade a victim to click an item in the browser, drag it and then drop it somewhere. While it sounds like a difficult task, Valotta put it to test with his Facebook account with surprising results.

He built a puzzle which allows a user to use their pointer to undress a photo of an attractive woman. The drag/drop motion needed by the puzzle is enough to exploit the flaw in IE.

"I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends."

Microsoft is aware of the problem but it is not considering it high risk, due to the level of user interaction required and other factors, such as the need to target cookies from the website a user has already logged into.

Tags: Facebook
Previous Next  

1 user comment

127.5.2011 11:53

This is why people need to enable private browsing all the time.

The only thing nastier than cookies is Java.

This message has been edited since its posting. Latest edit was made on 27 May 2011 @ 11:54

Comments have been disabled for this article.

News archive