An independent security consultant demonstrated a "cookiejacking" technique to show how attackers can steal Web cookies to access user accounts online.
unpatched vulnerability in Internet Explorer allows attackers to steal login
credentials to various Websites via cookies, according to a security
can exploit the Internet Explorer flaw to steal cookies from user computers and
use the saved information to access user data. The researcher, Rosario
Valotta, demonstrated the exploit at the Hack in the Box security conference in
Amsterdam on May 20.
are text files that Websites constantly save onto computers with information about
user activity, such as login credentials, the contents of a shopping cart, or
what sites the user has recently visited.
attacker has to guess the users' username for accounts, but can find passwords
by using "an advanced clickjacking technique." Clickjacking occurs when users
are tricked into clicking on a button or link that looks innocent, but is
crafted to steal information. The "cookiejacking" attack violates IE's
cross-zone interaction policy and exploits a zero-day vulnerability that is present
in all versions of Internet Explorer and can be exploited on all Windows
versions, according to a May 23 post on his Tentacolo Viola blog
cookie. Any Website. Ouch," Valotta wrote. The stolen cookies can be used to
download malware onto user machines or log in to user accounts. The proof of
concept targeted Facebook, Twitter and Google Mail cookies, but Valotta said
any Website can be targeted.
created a game that opened up in a new Internet Explorer window to illustrate
his "cookiejacking" technique. While users played the game by clicking and
dragging objects, what was really happening was that the cookie file was being
opened and the contents of the file were being selected and copied. This way,
the attacker can intercept cookies for any sites the user had accessed during
that Web session. For the attack to work, the attacker would need to know which
are stored in different locations.
put the test case on Facebook and got 80 responses, Valotta said.
Explorer uses "Security Zones" to group Websites according to level of trust,
and prevents content from different zones from interacting. Sites that users
consider safe, which are assigned to a higher trust zone, shouldn't be sharing
information with less trusted sites. When a cookie file is loaded into the
browser using an IFrame embedded on a malicious file, it violates the Cross
Zone policy as "an Internet page is accessing a local file," Valotta wrote.
displaying the contents of the cookie file in the IFrame is not enough, since
This is why Valotta created the game to trick users into dragging and dropping
game pieces, actually cookie content, into an "attacker controlled HTML
is complicated for the attacker, but not for the victim," Valotta told The
number of things the person needs to obtain before launching a successful
attack makes it only a moderate risk for users. Considering that many malicious
attacks involve tricking users into giving up usernames and there are rogue
portals that already check what operating system the victims are running before
delivering a customized payload, neither of the "obstacles" will slow down any
criminals interested in using this technique. Valotta also pointed out that
Internet Explorer automatically returns usernames as plaintext when getting
images or other resources from the remote server. All an attacker needs is a
script to "sniff" the username.
is aware of the issue and will roll out a patch in an upcoming update, a
Microsoft spokesperson told eWEEK.