IE Flaw Lets Attackers Steal Cookies, Access User Accounts

An unpatched vulnerability in Internet Explorer allows attackers to steal login credentials to various Websites via cookies, according to a security researcher.

Attackers can exploit the Internet Explorer flaw to steal cookies from user computers and use the saved information to access user data. The researcher, Rosario Valotta, demonstrated the exploit at the Hack in the Box security conference in Amsterdam on May 20.

Cookies are text files that Websites constantly save onto computers with information about user activity, such as login credentials, the contents of a shopping cart, or what sites the user has recently visited.

The attacker has to guess the users’ username for accounts, but can find passwords by using “an advanced clickjacking technique.” Clickjacking occurs when users are tricked into clicking on a button or link that looks innocent, but is crafted to steal information. The “cookiejacking” attack violates IE’s cross-zone interaction policy and exploits a zero-day vulnerability that is present in all versions of Internet Explorer and can be exploited on all Windows versions, according to a May 23 post on his Tentacolo Viola blog.

 “Any cookie. Any Website. Ouch,” Valotta wrote. The stolen cookies can be used to download malware onto user machines or log in to user accounts. The proof of concept targeted Facebook, Twitter and Google Mail cookies, but Valotta said any Website can be targeted.

Valotta created a game that opened up in a new Internet Explorer window to illustrate his “cookiejacking” technique. While users played the game by clicking and dragging objects, what was really happening was that the cookie file was being opened and the contents of the file were being selected and copied. This way, the attacker can intercept cookies for any sites the user had accessed during that Web session. For the attack to work, the attacker would need to know which version of the Windows operating system their targets are using because cookies are stored in different locations.

He put the test case on Facebook and got 80 responses, Valotta said.

Internet Explorer uses “Security Zones” to group Websites according to level of trust, and prevents content from different zones from interacting. Sites that users consider safe, which are assigned to a higher trust zone, shouldn’t be sharing information with less trusted sites. When a cookie file is loaded into the browser using an IFrame embedded on a malicious file, it violates the Cross Zone policy as “an Internet page is accessing a local file,” Valotta wrote.

Just displaying the contents of the cookie file in the IFrame is not enough, since Internet Explorer won’t allow the site to access the data using JavaScript. This is why Valotta created the game to trick users into dragging and dropping game pieces, actually cookie content, into an “attacker controlled HTML element.”

“It is complicated for the attacker, but not for the victim,” Valotta told The Register.

The number of things the person needs to obtain before launching a successful attack makes it only a moderate risk for users. Considering that many malicious attacks involve tricking users into giving up usernames and there are rogue portals that already check what operating system the victims are running before delivering a customized payload, neither of the “obstacles” will slow down any criminals interested in using this technique. Valotta also pointed out that Internet Explorer automatically returns usernames as plaintext when getting images or other resources from the remote server. All an attacker needs is a script to “sniff” the username.

Microsoft is aware of the issue and will roll out a patch in an upcoming update, a Microsoft spokesperson told eWEEK.