Microsoft latest security risk: "Cookiejacking

Discussion in 'The Water Cooler' started by reghakr, May 27, 2011.

  1. reghakr

    reghakr Excellent Member

    Joined:
    Jan 26, 2009
    Messages:
    14,220
    Likes Received:
    180
    BOSTON (Reuters) – A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.

    He calls the technique "cookiejacking."

    "Any website. Any cookie. Limit is just your imagination," said Rosario Valotta, an independent Internet security researcher based in Italy.

    Hackers can exploit the flaw to access a data file stored inside the browser known as a "cookie," which holds the login name and password to a web account, Valotta said via email

    Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique "cookiejacking."

    The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.

    To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC's screen before the cookie can be hijacked.

    That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to "undress" a photo of an attractive woman.

    "I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends."

    Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.

    "Given the level of required user interaction, this issue is not one we consider high risk," said Microsoft spokesman Jerry Bryant.

    "In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into," Bryant said.

    (Editing by Steve Orlofsky)

    Soure: Microsoft latest security risk: "Cookiejacking" - Yahoo! News
     
  2. reghakr

    reghakr Excellent Member

    Joined:
    Jan 26, 2009
    Messages:
    14,220
    Likes Received:
    180
    An Italian security researcher has found a new security flaw in Microsoft's Internet Explorer web browser that could allow hackers to steal login information and passwords.

    The threat comes in the form of a 'cookiejacking' scheme (related to session hijacking), which allows hackers to review website history and then use that to enter protected domains.

    Rosario Valotta recently demonstrated his cookingjacking findings at security conferences in Switzerland and Amsterdam. He acknowledged that exploiting the flaw isn't particularly easy, requiring a hacker to convince an online user to drag and drop an item on their PC in order for the cookie to be extracted and then exploited. (Source: informationweek.com)

    Drag and Drop Scheme Fools Facebook Users

    If the scheme sounds complex, it really isn't.

    Valotta demonstrated to his audience that crafting a malicious Facebook page to require a user to 'drag and drop' is as simple using a Facebook game.

    In his example, Valotta made a game that allows a user to drag clothes off the picture of a good-looking woman, which then performed the 'drag and drop' action, thus allowing him access to the user's Facebook credentials (via cookie) in the process.

    "I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta said. "And I've only got 150 friends."

    Those cookies could then be examined for login and password information. They could then be used to hijack accounts of all sorts, including those associated with financial institutions.

    Microsoft: Threat Not "High Risk"
    Surprisingly, Microsoft doesn't seem all that bothered by the flaw.

    "Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," said Microsoft spokesman, Jerry Bryant. (Source: cnet.com)

    "In order to possibly be impacted, a user must visit a malicious Web site, be convinced to click and drag items around the page and the attacker would need to target a cookie from the Web site that the user was already logged into."

    "We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and email, as well as adjusting Internet settings to higher security levels," Bryant added.

    Source: New 'Cookiejacking' Threat Hits Internet Explorer / Infopackets.com
     
  3. reghakr

    reghakr Excellent Member

    Joined:
    Jan 26, 2009
    Messages:
    14,220
    Likes Received:
    180
    SOFTWARE FLOGGER Microsoft and Trend Micro have got into a dispute about the severity of a vulnerability in Internet Explorer that could allow a hacker to steal a victim's cookies.

    It all centres around a vulnerability found by Italian security researcher Rosario Valetto called 'cookiejacking', or what is more well known as session hijacking. He said all versions of Internet Explorer have the bug, which if exploited can allow a hacker to steal data items from the web browser that are known as cookies.

    To exploit the flaw, a user needs to be persuaded to drag and drop an object across a PC screen before cookies can be hijacked. This might sound difficult, but you can imagine it being effective if set up nicely, as shown in the video below where a user 'undresses' a picture of an attractive woman.



    In a statement, a Microsoft spokesperson said, "Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users."

    "In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."

    "We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and emails, as well as adjusting Internet settings to higher security levels."

    But Robert McArdle, senior threat researcher at Trend Micro, wasn't particularly impressed by the response. He said the statement was inaccurate, as malicious websites are visited every day, and that the use of social engineering to persuade people to drag items is effective. There are always going to be cookies on machines, he added, as most people don't clear cookies that often.

    He said, "Their advice - that this issue is not to be taken seriously and does not pose high risk - is misguided. Such comments could lead non-technical users to think that visiting malicious websites is unlikely, and could lead other users to think that they won't be duped or compromised just by visiting a malicious website."

    Source: Microsoft is accused of giving misguided security advice- The Inquirer
     
    #3 reghakr, May 27, 2011
    Last edited by a moderator: Jul 26, 2013

Share This Page

Loading...