Regardless of the version of Windows you use, if you also use any versions of Microsoft's Internet Explorer, then you might not want to do any drag-and-dropping within your IE browser, or you might be done in by "cookiejacking." It's not the CookieMonster or Firesheep, but there is a zero-day hole in IE that allows an attacker to steal any session cookies from any website.
At the Hack In A Box conference in Amsterdam, Italian security researcher Rosario Valotta demonstrated a cookiejacking attack. A session cookie holds information like your username and your password. Once those cookies are stolen, it allows an attacker to access wherever the victim is logged in like Gmail, Facebook, Twitter or other online accounts. His code to exploit the flaw explicitly targets cookies issued by Facebook, Twitter and Gmail, but Valotta says his technique can be used on any website. The attacker is only as limited as his imagination.
The vulnerability was found in IE security zone mechanisms which are supposed to keep Internet zones from mixing; it's meant to prevent sites in the "untrusted" Internet zone from embedding content to the "trusted" local zone. Yet Valotta discovered that cookies were exempt from the security mechanism and could be loaded into iFrames. The cookies were marked with invisible text and moved by the HTML5 drag and drop feature to the main browser window. "This breaks the Cross zone interaction policy as a Internet page is accessing a local file," Valotta wrote on tentacoloViola where he explained the entire exploit.
For his hijack cookie exploit to work, however, it requires some social engineering to get the victim to drag and drop an object in the browser. Although that might sound challenging, Valotta, with a proof-of-concept Facebook application, showed that it's not too difficult at all. He said he used an "advanced Clickjacking technique called 'content extraction' and some little JS tricks in order to lure my victim into drag&drop the cookie into an attacker controlled HTML element." He created a puzzle game (video) and shared it with his friends, secretly stealing the victim's Facebook session cookie. "I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server. And I've only got 150 friends," he told Reuters.
Microsoft is not too worried about this zero-day hole in all versions of IE. Microsoft spokesman Jerry Bryant said, "Given the level of required user interaction, this issue is not one we consider high risk. In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."
H Security noted, "The researcher notified the Microsoft Security Response Center of the original hole on 28 January 2011 and Microsoft solved the problem before the final version of IE9 was released on 18 March. However, only two weeks later, Valotta found a slightly modified approach that also allowed him to steal cookies from IE9 users, which he demonstrated (direct download PowerPoint file)" at Hack In the Box security conference.
Like this? Here's more posts:
- Hotmail Exploit Silently Snooped & Microsoft Audio CAPTCHA Easily Defeated
- TinKode Hacked NASA's Goddard Space Flight Center
- Gov't: We want stored emails, phone locations. New bill: Get a warrant!
- Thanks to ID thieves, your child may have more debt than you
- Having private parts is not probable cause for TSA to grope or body scan you
- FBI: Surveillance "going dark" or obsessed with porn and doing a poor job?
- Ridiculous DHS list: You might be a domestic terrorist if...
- Former FBI Agent Turned ACLU Attorney: Feds Routinely Spy on Citizens
- Patching Windows is a major time sink for IT departments
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited