Microsoft latest security risk: "Cookiejacking"

[Airbot]

A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
He calls the technique "cookiejacking."


"Any website. Any cookie. Limit is just your imagination," said Rosario Valotta, an independent Internet security researcher based in Italy.
Hackers can exploit the flaw to access a data file stored inside the browser known as a "cookie," which holds the login name and password to a web account, Valotta said via email


Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique "cookiejacking."
The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.


To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC's screen before the cookie can be hijacked.

more

 

[Shadowjk]

IE Flaw Could Allow Hackers Access to your social networking accounts

Regardless of the version of Windows you use, if you also use any versions of Microsoft's Internet Explorer, then you might not want to do any drag-and-dropping within your IE browser, or you might be done in by "cookiejacking." It's not the CookieMonster or Firesheep, but there is a zero-day hole in IE that allows an attacker to steal any session cookies from any website.
At the Hack In A Box conference in Amsterdam, Italian security researcher Rosario Valotta demonstrated a cookiejacking attack. A session cookie holds information like your username and your password. Once those cookies are stolen, it allows an attacker to access wherever the victim is logged in like Gmail, Facebook, Twitter or other online accounts.

Read more ...

 

[FredeGail]

Interesting

 

[MadSupra354]

This doesn't apply to any other browser, does it? Hopefully Microsoft will release a security update addressing this.

 

[Shadowjk]

No Looks like it doesn't - Hopefully they do bring an Update

Josh

 

[Layback Bear]

When something like this comes along I do wonder how man people Microsoft has checking, verifying, and fixing the problem.

 

[Imperfect1]

This method of hijacking confidential information, using clever 'attachments' as bait, just serves as another excellent reminder to be very cautious when using the internet. We already know that attachments (in any form) are highly suspect for carrying malware of all kinds -- we now are aware of yet another method/form of using them to steal our confidential information. As someone who has had funds stolen out of my bank account by a PayPal hijacker, I am especially appreciative of this warning!

 

[severedsolo]

I don't get this bit:

Microsoft is not too worried about this zero-day hole in all versions of IE. Microsoft spokesman Jerry Bryant said, "Given the level of required user interaction, this issue is not one we consider high risk. In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."

The guy who demonstrated it created a Facebook app, which you have to drag and drop to play... and surely the targeted cookie would be facebook in that case? Back when I used facebook, judging from the amount of crap that got posted to my wall, everyone was always playing whatever games, with hardly a care about security/malware. Seems to be this is a very valid attack.

 

[TanyaC]

A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
He calls the technique "cookiejacking."

I know i'll get jumped on... But this is a bad thing??? Nah...

I live for the day sites like facebook and Twitter are shut down...

<rant> My kids, like so many others, have lost the ability to communicate face to face, walk around like zombies and sleep with their iPods and iPhones in their hands.. They will check and update their facebook wall in preference to visiting the bathroom... When you're trying to watch TV the damn devices are making noises every 2 minutes as things re updated... <end rant>

 

[sablegsd]

A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
He calls the technique "cookiejacking."

I know i'll get jumped on... But this is a bad thing??? Nah...

I live for the day sites like facebook and Twitter are shut down...

<rant> My kids, like so many others, have lost the ability to communicate face to face, walk around like zombies and sleep with their iPods and iPhones in their hands.. They will check and update their facebook wall in preference to visiting the bathroom... When you're trying to watch TV the damn devices are making noises every 2 minutes as things re updated... <end rant>

How old are they?

 

[TanyaC]

A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
He calls the technique "cookiejacking."

I know i'll get jumped on... But this is a bad thing??? Nah...

I live for the day sites like facebook and Twitter are shut down...

<rant> My kids, like so many others, have lost the ability to communicate face to face, walk around like zombies and sleep with their iPods and iPhones in their hands.. They will check and update their facebook wall in preference to visiting the bathroom... When you're trying to watch TV the damn devices are making noises every 2 minutes as things re updated... <end rant>

How old are they?

15, 16, and 20

 

[Tepid]

That's where spilled water comes in handy.

Or a glass of water and a trip hazard comes in handy.