An unpatched vulnerability in Internet Explorer allows attackers to steal login credentials to various Websites via cookies, according to a security researcher.
Attackers can exploit the Internet Explorer flaw to steal cookies from user computers and use the saved information to access user data. The researcher, Rosario Valotta, demonstrated the exploit at the Hack in the Box security conference in Amsterdam on May 20.
Cookies are text files that Websites constantly save onto computers with information about user activity, such as login credentials, the contents of a shopping cart, or what sites the user has recently visited.
The attacker has to guess the users' username for accounts, but can find passwords by using "an advanced clickjacking technique." Clickjacking occurs when users are tricked into clicking on a button or link that looks innocent, but is crafted to steal information. The "cookiejacking" attack violates IE's cross-zone interaction policy and exploits a zero-day vulnerability that is present in all versions of Internet Explorer and can be exploited on all Windows versions, according to a May 23 post on his Tentacolo Viola blog.
"Any cookie. Any Website. Ouch," Valotta wrote. The stolen cookies can be used to download malware onto user machines or log in to user accounts. The proof of concept targeted Facebook, Twitter and Google Mail cookies, but Valotta said any Website can be targeted.
He put the test case on Facebook and got 80 responses, Valotta said.
Internet Explorer uses "Security Zones" to group Websites according to level of trust, and prevents content from different zones from interacting. Sites that users consider safe, which are assigned to a higher trust zone, shouldn't be sharing information with less trusted sites. When a cookie file is loaded into the browser using an IFrame embedded on a malicious file, it violates the Cross Zone policy as "an Internet page is accessing a local file," Valotta wrote.
"It is complicated for the attacker, but not for the victim," Valotta told The Register.
The number of things the person needs to obtain before launching a successful attack makes it only a moderate risk for users. Considering that many malicious attacks involve tricking users into giving up usernames and there are rogue portals that already check what operating system the victims are running before delivering a customized payload, neither of the "obstacles" will slow down any criminals interested in using this technique. Valotta also pointed out that Internet Explorer automatically returns usernames as plaintext when getting images or other resources from the remote server. All an attacker needs is a script to "sniff" the username.
Microsoft is aware of the issue and will roll out a patch in an upcoming update, a Microsoft spokesperson told eWEEK.