AfterDawn: Tech news

Researcher details 'Cookiejacking' flaw in Internet Explorer

Written by James Delahunty @ 26 May 2011 3:04 User comments (1)

Researcher details 'Cookiejacking' flaw in Internet Explorer An independent researcher has demonstrated a flaw in Internet Explorer that he says can be used to steal access credentials to Facebook, Twitter and hoards of other sites.
He calls the technique "cookiejacking", as it relies on the cookie information stored by the web browser to keep users access credentials and other information for certain websites. Depending on many conditions, stealing cookie credentials (which is by no means a new attack method) could allow a hacker to access the account of a victim on a certain website.

In this case, the Italian researcher, Rosario Valotta, finds that to exploit the flaw, you need to persuade a victim to click an item in the browser, drag it and then drop it somewhere. While it sounds like a difficult task, Valotta put it to test with his Facebook account with surprising results.

He built a puzzle which allows a user to use their pointer to undress a photo of an attractive woman. The drag/drop motion needed by the puzzle is enough to exploit the flaw in IE.



"I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends."

Microsoft is aware of the problem but it is not considering it high risk, due to the level of user interaction required and other factors, such as the need to target cookies from the website a user has already logged into.

Tags: Facebook
Previous Next  

1 user comment

127.5.2011 11:53

This is why people need to enable private browsing all the time.

The only thing nastier than cookies is Java.

This message has been edited since its posting. Latest edit was made on 27 May 2011 @ 11:54

Comments have been disabled for this article.

Latest news

Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets Roomba Combo j7+ review - Clever trick allows robot vacuum finally to tackle home with rugs and carpets (06 Jun 2023 9:19)
Roomba Combo j7+ is the very first Roomba model to combine robot vacuum with mopping features. And Roomba Combo j7+ does all that with a very clever trick, which tackles the problem with mopping and carpets. But is it any good? We found out.
Neato, the robot vacuum company, ends its operations Neato, the robot vacuum company, ends its operations (02 May 2023 3:38)
Neato Robotics has ceased its operations. American robot vacuum pioneer founded in 2005 has finally called it quits and company will cease its operations and sales. Only a skeleton crew will remain who will keep the servers running until 2028.
5 user comments
How to Send Messages to Yourself on WhatsApp How to Send Messages to Yourself on WhatsApp (20 Mar 2023 1:25)
The world's most popular messaging platform, Meta-owned WhatsApp has enabled sending messages to yourself. While at first, this might seem like an odd feature, it can be very useful in a lot of situations. ....
18 user comments
How to Enable Bluetooth on Stadia Controller How to Enable Bluetooth on Stadia Controller (11 Feb 2023 1:04)
Google shut down its streaming game service Stadia late last month and this means that some people have Stadia controllers lying around that seem to be of no use. That is fortunately not the ....
2 user comments
Guide: How to Kick Unwanted Guests from Your Netflix Account Guide: How to Kick Unwanted Guests from Your Netflix Account (26 Jan 2023 2:14)
Sharing a Netflix account with a person in a different location is possible and indeed very common, although the company doesn't necessarily enjoy this behavior from their customers. However, ....

News archive