New 'Cookiejacking' Threat Hits Internet Explorer
An Italian security researcher has found a new security flaw in Microsoft's Internet Explorer web browser that could allow hackers to steal login information and passwords.
The threat comes in the form of a 'cookiejacking' scheme (related to session hijacking), which allows hackers to review website history and then use that to enter protected domains.
Rosario Valotta recently demonstrated his cookingjacking findings at security conferences in Switzerland and Amsterdam. He acknowledged that exploiting the flaw isn't particularly easy, requiring a hacker to convince an online user to drag and drop an item on their PC in order for the cookie to be extracted and then exploited. (Source: informationweek.com)
Drag and Drop Scheme Fools Facebook Users
If the scheme sounds complex, it really isn't.
Valotta demonstrated to his audience that crafting a malicious Facebook page to require a user to 'drag and drop' is as simple using a Facebook game.
In his example, Valotta made a game that allows a user to drag clothes off the picture of a good-looking woman, which then performed the 'drag and drop' action, thus allowing him access to the user's Facebook credentials (via cookie) in the process.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta said. "And I've only got 150 friends."
Those cookies could then be examined for login and password information. They could then be used to hijack accounts of all sorts, including those associated with financial institutions.
Microsoft: Threat Not "High Risk"
Surprisingly, Microsoft doesn't seem all that bothered by the flaw.
"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," said Microsoft spokesman, Jerry Bryant. (Source: cnet.com)
"In order to possibly be impacted, a user must visit a malicious Web site, be convinced to click and drag items around the page and the attacker would need to target a cookie from the Web site that the user was already logged into."
"We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and email, as well as adjusting Internet settings to higher security levels," Bryant added.
Free eBook: Getting Started: Your Guide to Windows 8. Windows 8 is arguably Microsoft's most daring Windows Operating system to date. Featuring an unusual tile-based Start screen that's optimized for touchscreen devices, Windows 8 is now available on all new computers, laptops and ultrabooks, and hybrid tablets. Whichever device you use Windows 8 on, you'll need to know a few things. First, how are you going to get the data from your current operating system to the new one? Second, you'll probably be wondering where Windows desktop has gone. Finally, you might be wondering: why did Microsoft remove the Start menu? This eBook answers all those questions, and more. Click here to download this eBook now! Note: this eBook is free, but registration is required; after that, you can select more ebooks and videos for download without registering again. If you have questions / problems with the registration form, please read this.