Browsing the web with Internet Explorer? Then you might want to take extra precaution at keeping hackers from reaching into your cookie jar.
Rosario Valotta, an Italian computer security professional has discovered a flaw in Microsoft's Internet Explorer that could allow hackers to steal browser data files, known as "cookies," and use them to log onto Facebook, Twitter and any other password-protected website.
Valotta revealed this "cookiejacking" flaw earlier this month at computer security conferences in Amsterdam and Switzerland. He claims that a zero-day vulnerability is found in every version of Internet Explorer for any version of Windows and allows hackers to hijack any cookie for any website.
"Any website. Any cookie. Limit is just your imagination," Valotta told Reuters.
To execute an attack, a hackers would need the user's username. To retrieve it, a hacker would have to hoodwink the user into dragging and dropping an object across the PC's screen. Valotta demonstrated this by creating a jigsaw puzzle game on Facebook where users "undress" an onscreen photo of an attractive woman.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta said. "And I've only got 150 friends."
However, Microsoft considers the cookiejacking flaw a minimal risk for users.
"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," Microsoft spokesman Jerry Bryant said in a statement sent to CNET.
"In order to possibly be impacted a user must visit a malicious Web site, be convinced to click and drag items around the page and the attacker would need to target a cookie from the Web site that the user was already logged into," added Microsoft. "We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and e-mails, as well as adjusting Internet settings to higher security levels."
Credit: DK Limited/Corbis
