'Cookiejacking' zero-day flaw in IE exposes passwords to any site

Microsoft says clickjack/JavaScript/cookie-extraction exploit too complex to work in the wild

Insecurity has reached a new level when end users can have their online identities stolen by people scooping up data created to take advantage of the same users in a different way. Especially if they thought that exact risk had been squashed three or four years ago.

"Cookiejacking" is the newest exploit to highlight a ludicrous flaw in Internet Explorer."

The technique allows hackers to steal credentials to FaceBook, Twitter and other sites by reading login names and passwords from the IE cookies file, according to independent security researcher Rosario Valotta who demonstrated the technique at conferences in Switzerland and Amsterdam earlier this month.

Valotta told Reuters the technique could get credentials for any web site or any cookie without using cros-site-scripting (XSS), which many security apps shut down automatically.

FaceBook, Google and other popular online services made security tighter during the past few months by, among other things, making sure login information wasn't stored unencrypted in cookie files as they once were for some.

Cookiejacking was a primary reason. It's been around since at least 2007, and was a major topic at security conferences in 2008, not to mention being the subject of academic investigation and remediation.

It's not as easy as Reuters makes it sound, though.

Making it work requires knowing the users's Windows username, or sniffing it in ways Valotta describes in his FAQ, and know what version of Windows the victim uses.

You also have to salt a web page with an iFrame that looks like a clickable part of the UI, but has code behind it for a content-extracting clickjacking technique. When the user clicks and drags the visible part of the frame, a hidden frame grabs live-session cookie data from the cookie file.

Valotta provides a little video of the cookiejacking in action, as well as detailed descriptions.

A Microsoft spokesman told Reuters that the series of actions necessary to make a successful cookiejacking made the risk to average consumers a small one.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon