Microsoft latest security risk: "Cookiejacking"

Page 1 of 2 12 LastLast

    Microsoft latest security risk: "Cookiejacking"


    Posted: 25 May 2011
    A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
    He calls the technique "cookiejacking."


    "Any website. Any cookie. Limit is just your imagination," said Rosario Valotta, an independent Internet security researcher based in Italy.
    Hackers can exploit the flaw to access a data file stored inside the browser known as a "cookie," which holds the login name and password to a web account, Valotta said via email


    Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique "cookiejacking."
    The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.


    To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC's screen before the cookie can be hijacked    .
    more
    Airbot's Avatar Posted By: Airbot
    25 May 2011



  2. Shadowjk
    Posts : 2,298
    Windows 7 Professional x64 SP1 ; Windows Server 2012 R2 Standard
       New #1

    IE Flaw Could Allow Hackers Access to your social networking accounts


    networkworld said:
    Regardless of the version of Windows you use, if you also use any versions of Microsoft's Internet Explorer, then you might not want to do any drag-and-dropping within your IE browser, or you might be done in by "cookiejacking." It's not the CookieMonster or Firesheep, but there is a zero-day hole in IE that allows an attacker to steal any session cookies from any website.
    At the Hack In A Box conference in Amsterdam, Italian security researcher Rosario Valotta demonstrated a cookiejacking attack. A session cookie holds information like your username and your password. Once those cookies are stolen, it allows an attacker to access wherever the victim is logged in like Gmail, Facebook, Twitter or other online accounts.
    Read more ...
      My Computer
    Quote Quote

  4. FredeGail
    Posts : 2,393
    Microsoft Windows 7 Ultimate: x64 (SP1)
       New #2

    Interesting
      My Computer
    Quote Quote

  5. MadSupra354
    Posts : 795
    10 Home x64
       New #3

    This doesn't apply to any other browser, does it? Hopefully Microsoft will release a security update addressing this.
      My Computer
    Quote Quote

  7. Shadowjk
    Posts : 2,298
    Windows 7 Professional x64 SP1 ; Windows Server 2012 R2 Standard
       New #4

    No Looks like it doesn't - Hopefully they do bring an Update

    Josh
      My Computer
    Quote Quote

  8. Layback Bear
    Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       New #5

    When something like this comes along I do wonder how man people Microsoft has checking, verifying, and fixing the problem.
      My Computer
    Quote Quote

  9. Imperfect1
    Posts : 2,578
    Vista 64 bit and 32 bit (SP2)
       New #6

    This method of hijacking confidential information, using clever 'attachments' as bait, just serves as another excellent reminder to be very cautious when using the internet. We already know that attachments (in any form) are highly suspect for carrying malware of all kinds -- we now are aware of yet another method/form of using them to steal our confidential information. As someone who has had funds stolen out of my bank account by a PayPal hijacker, I am especially appreciative of this warning!
      My Computer
    Quote Quote

  11. severedsolo
    Posts : 3,427
    Windows 10 Pro x64
       New #7

    I don't get this bit:
    Microsoft is not too worried about this zero-day hole in all versions of IE. Microsoft spokesman Jerry Bryant said, "Given the level of required user interaction, this issue is not one we consider high risk. In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."
    The guy who demonstrated it created a Facebook app, which you have to drag and drop to play... and surely the targeted cookie would be facebook in that case? Back when I used facebook, judging from the amount of crap that got posted to my wall, everyone was always playing whatever games, with hardly a care about security/malware. Seems to be this is a very valid attack.
      My Computer
    Quote Quote

  12. TanyaC
    Posts : 784
    Linux Mint 17 Cinnamon | Win 7 Ult x64
       New #8

    Airbot said:
    A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
    He calls the technique "cookiejacking."
    I know i'll get jumped on... But this is a bad thing??? Nah...

    I live for the day sites like facebook and Twitter are shut down...

    <rant> My kids, like so many others, have lost the ability to communicate face to face, walk around like zombies and sleep with their iPods and iPhones in their hands.. They will check and update their facebook wall in preference to visiting the bathroom... When you're trying to watch TV the damn devices are making noises every 2 minutes as things re updated... <end rant>
      My Computer
    Quote Quote

  13. sablegsd
    Posts : 63
    7 64 bit Home Premium
       New #9

    Tanyam said:
    Airbot said:
    A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
    He calls the technique "cookiejacking."
    I know i'll get jumped on... But this is a bad thing??? Nah...

    I live for the day sites like facebook and Twitter are shut down...

    <rant> My kids, like so many others, have lost the ability to communicate face to face, walk around like zombies and sleep with their iPods and iPhones in their hands.. They will check and update their facebook wall in preference to visiting the bathroom... When you're trying to watch TV the damn devices are making noises every 2 minutes as things re updated... <end rant>
    How old are they?
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
How to Add or Remove "Scan with Microsoft Security Essentials" from Context Menu in Windows When you have Microsoft Security Essentials (MSE) installed, it adds "Scan with Microsoft Security Essentials" to the context menu of files, folders, and drives by default to make it easier to scan them...
Had yet another call purporting to come from MS "Vindows" security department. Led him (Martin?) on a bit and eventually told him that I didn't have a computer. He then got very abusive and called me a liar. He was almost threatening. Doesn't cut any ice with me but I help a number of oldies with...
I just joined this forum today, I found it while searching for help to fix the following error as displayed in the Event Log: When I boot up I do get my desktop, but the mouse is frozen. I turn the power off, and back on and my system is functional. However, I get the following error...
Windows crashes on startup -- a freeze in the "Starting Windows" screen. The Event Viewer shows this recurring error: Administrative Event Viewer Error - Session "Microsoft Security Essentials OOBE" stopped due to the following error: 0xC000000D Searches give me this thread as the only one...
More - Trend Micro cries "antitrust" over Microsoft Security Essentials
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 23:35.
Find Us