Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
/

Cookie data in IE may be vulnerable to snooping

Today's breaking news
Send to a friendFeedback


Users of Internet Explorer on Windows platforms are being advised to turn off JavaScript to prevent their cookie files from being read by hostile Web sites.

Thousands of e-commerce sites use cookies to authenticate users or store private information. However, those cookies could be exposed by IE and intercepted by a third-party Web site, according to an Internet privacy watchdog group.

Seattle-based Peacefire.org has demonstrated that by using a specially constructed URL, a Web site can read IE cookies set from any domain. For example, to read an Amazon.com cookie, a site might direct the user's browser to www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com.

Peacefire points out that if the "%2f"'s are replaced with "/" characters, and the "%3F" with "?", this URL is actually www.peacefire.org/security/iecookies/ showcookie.html?.amazon.com.

This hack confuses IE into thinking the page is located in the Amazon.com domain and allows the page to read the user's Amazon.com cookie. Normally, only the site that issued a cookie has permission to read data within that cookie.

According to Peacefire, all known versions of Internet Explorer for Windows 95, 98 and NT are affected. The organization reports that IE for the Macintosh and Unix do not appear to be affected, and no version of Netscape Navigator or any other browser is vulnerable.

Peacefire says the safest workaround for Windows IE users is to disable JavaScript. When the browser loads a URL like www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com, the Amazon.com cookie is only available to JavaScript code on the page; it is not submitted to the server in a Hypertext Transfer Protocol (HTTP) header.

A spokesman for Microsoft Corp. said that the company is working on a patch for the IE cookie issue to be released shortly. A security bulletin will be published at www.microsoft.com/technet/security/default.asp to discuss the issue and advise customers how to obtain and apply the patch. Microsoft also plans to send the bulletin via its Product Security Notification Service to more than 100,000 subscribers.

Microsoft acknowledges that the vulnerability could allow a malicious Web site operator to read, change or delete cookies that belong to another Web site, the spokesman said. However, according to the company, the vulnerability could not be used by a malicious Web site operator to "inventory" what cookies a person had. Instead, the hacker would need to randomly try to recover cookies from various sites.

"Normal security practices recommend that Web sites should never include sensitive data in cookies," the spokesman said, adding that Microsoft Web sites never include sensitive data in cookies. "If these practices are followed, there would be no sensitive data to compromise."

However, Peacefire's Jamie McCarthy said that a number of popular sites deploy cookies that collect sensitive information. He pointed out that intercepting a cookie set by HotMail, Yahoo Mail, or any other free Web-based e-mail sites that use cookies for authentication, could allow the operator of a hostile Web site to break into a visitor's HotMail account and read the contents of the user's inbox. While HotMail cookies do not contain user passwords, they do allow a third party to access a user's HotMail account for as long as that user stays logged in, since each separate login generates a new cookie.

McCarthy also points out that the ability to harvest cookie information could be tempting for unscrupulous marketers. Intercepting a user's Amazon.com cookie could allow a hacker to visit Amazon.com impersonating that user, and access their real name, e-mail address and the user's list of "recommended titles," which could indicate past purchases of books and CDs. Credit-card numbers or actual lists of previous Amazon.com orders can't be accessed because viewing this information requires a password not contained in the cookie, says McCarthy.

Such a privacy hole can also be used to cull password information. For instance, McCarthy notes that some publications store passwords in cookies. While a password is only needed to browse articles on NYTimes.com and not make purchases, exposing this password is still dangerous since users might have the same password set up for several different sites.

For more enterprise computing news, visit Computerworld online. Story copyright 2000 Computerworld, Inc. All rights reserved.

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.