Results 1 to 3 of 3
  1.    #1  
    HI all,

    FYI.

    Take care,

    Jay

    Microsoft Latest Security Risk: 'Cookiejacking'

    By REUTERS, May 25, 2011, (Editing by Steve Orlofsky)

    http://www.nytimes.com/reuters/2011/...gewanted=print

    BOSTON (Reuters) - A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.

    He calls the technique "cookiejacking."

    "Any website. Any cookie. Limit is just your imagination," said Rosario Valotta, an independent Internet security researcher based in Italy.

    Hackers can exploit the flaw to access a data file stored inside the browser known as a "cookie," which holds the login name and password to a web account, Valotta said via email

    Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique "cookiejacking."

    The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.

    To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC's screen before the cookie can be hijacked.

    That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to "undress" a photo of an attractive woman.

    "I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends."

    Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.

    "Given the level of required user interaction, this issue is not one we consider high risk," said Microsoft spokesman Jerry Bryant.

    "In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into," Bryant said.
    Please Support Research into Fibromyalgia, Chronic Pain and Spinal Injuries. If You Suffer from These, Consider Joining or Better Yet Forming a Support Group. No One Should Suffer from the Burden of Chronic Pain, Jay M. S. Founder, Leesburg Fibromyalgia/Resources Group
  2. #2  
    Brings new meaning to the term cookie jacking.
  3.    #3  
    Hi all,

    Here is some follow up info. Please see the link for the rest of this article.

    Take care,

    Jay

    May 27, 2011
    Zero-Day 'Cookiejacking' Hack Affects All IE Browsers, But Is It Serious?By DAN ROWINSKI of ReadWriteWeb

    Zero-Day 'Cookiejacking' Hack Affects All IE Browsers, But Is It Serious? - NYTimes.com

    A sophisticated new hack has emerged as a zero-day exploit for all versions of Internet Explorer. Dubbed "cookiejacking," it is a way for hackers to take control of users browser identities and thus be able to impersonate them on Facebook, Twitter or any encrypted bank or retail site.

    A play off the now familiar "clickjacking" term, cookiejacking happens when a hacker gets a user to drag and drop an item on a website enabled for the hack. It was discovered by Italian security researcher Rosario Valotta, who presented his findings it at two European security conferences earlier this year before publishing them on his blog. Given the nature of the attack and specificity of the attack, is this something that Internet Explorer users really need to worry about?
    Please Support Research into Fibromyalgia, Chronic Pain and Spinal Injuries. If You Suffer from These, Consider Joining or Better Yet Forming a Support Group. No One Should Suffer from the Burden of Chronic Pain, Jay M. S. Founder, Leesburg Fibromyalgia/Resources Group

Posting Permissions