BOSTON (Reuters) - A computer
security researcher has found a flaw in Microsoft Corp's widely used Internet
Explorer browser that he said could let hackers steal credentials to access
FaceBook, Twitter and other websites.
He calls the technique "cookiejacking."
"Any website. Any cookie. Limit is just your imagination," said
Rosario Valotta, an independent Internet security researcher based in Italy.
Hackers can exploit the flaw to access a data file stored inside the browser
known as a "cookie," which holds the login name and password to a web
account, Valotta said via email
Once a hacker has that cookie, he or she can use it to access the same site,
said Valotta, who calls the technique "cookiejacking."
The vulnerability affects all versions of Internet Explorer, including IE 9,
on every version of the Windows operating system.
To exploit the flaw, the hacker must persuade the victim to drag and drop an
object across the PC's screen before the cookie can be hijacked.
That sounds like a difficult task, but Valotta said he was able to do it
fairly easily. He built a puzzle that he put up on Facebook in which users are
challenged to "undress" a photo of an attractive woman.
"I published this game online on FaceBook and in less than three days,
more than 80 cookies were sent to my server," he said. "And I've only
got 150 friends."
Microsoft said there is little risk a hacker could succeed in a real-world
cookiejacking scam.
"Given the level of required user interaction, this issue is not one we
consider high risk," said Microsoft spokesman Jerry Bryant.
"In order to possibly be impacted a user must visit a malicious
website, be convinced to click and drag items around the page and the attacker
would need to target a cookie from the website that the user was already logged
into," Bryant said.
security researcher has found a flaw in Microsoft Corp's widely used Internet
Explorer browser that he said could let hackers steal credentials to access
FaceBook, Twitter and other websites.
He calls the technique "cookiejacking."
"Any website. Any cookie. Limit is just your imagination," said
Rosario Valotta, an independent Internet security researcher based in Italy.
Hackers can exploit the flaw to access a data file stored inside the browser
known as a "cookie," which holds the login name and password to a web
account, Valotta said via email
Once a hacker has that cookie, he or she can use it to access the same site,
said Valotta, who calls the technique "cookiejacking."
The vulnerability affects all versions of Internet Explorer, including IE 9,
on every version of the Windows operating system.
To exploit the flaw, the hacker must persuade the victim to drag and drop an
object across the PC's screen before the cookie can be hijacked.
That sounds like a difficult task, but Valotta said he was able to do it
fairly easily. He built a puzzle that he put up on Facebook in which users are
challenged to "undress" a photo of an attractive woman.
"I published this game online on FaceBook and in less than three days,
more than 80 cookies were sent to my server," he said. "And I've only
got 150 friends."
Microsoft said there is little risk a hacker could succeed in a real-world
cookiejacking scam.
"Given the level of required user interaction, this issue is not one we
consider high risk," said Microsoft spokesman Jerry Bryant.
"In order to possibly be impacted a user must visit a malicious
website, be convinced to click and drag items around the page and the attacker
would need to target a cookie from the website that the user was already logged
into," Bryant said.