New 'Cookiejacking' Threat Hits Internet Explorer

An Italian security researcher has found a new security flaw in Microsoft's Internet Explorer web browser that could allow hackers to steal login information and passwords.

The threat comes in the form of a 'cookiejacking' scheme (related to session hijacking), which allows hackers to review website history and then use that to enter protected domains.

Rosario Valotta recently demonstrated his cookingjacking findings at security conferences in Switzerland and Amsterdam. He acknowledged that exploiting the flaw isn't particularly easy, requiring a hacker to convince an online user to drag and drop an item on their PC in order for the cookie to be extracted and then exploited. (Source: informationweek.com)

Drag and Drop Scheme Fools Facebook Users

If the scheme sounds complex, it really isn't.

Valotta demonstrated to his audience that crafting a malicious Facebook page to require a user to 'drag and drop' is as simple using a Facebook game.

In his example, Valotta made a game that allows a user to drag clothes off the picture of a good-looking woman, which then performed the 'drag and drop' action, thus allowing him access to the user's Facebook credentials (via cookie) in the process.

"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta said. "And I've only got 150 friends."

Those cookies could then be examined for login and password information. They could then be used to hijack accounts of all sorts, including those associated with financial institutions.

Microsoft: Threat Not "High Risk"

Surprisingly, Microsoft doesn't seem all that bothered by the flaw.

"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," said Microsoft spokesman, Jerry Bryant. (Source: cnet.com)

"In order to possibly be impacted, a user must visit a malicious Web site, be convinced to click and drag items around the page and the attacker would need to target a cookie from the Web site that the user was already logged into."

"We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and email, as well as adjusting Internet settings to higher security levels," Bryant added.