Jump to content

Cookie hijacking vulnerability discovered in Internet Explorer


nsane.forums

Recommended Posts

nsane.forums

A security researcher has discovered a vulnerability in all versions of Internet Explorer, including IE9, on all versions of Windows. This vulnerability allows hackers to steal login information for any sites requiring passwords. The theft of one's credentials is achieved by taking advantage of a flaw in how Internet Explorer handles cookies. While it sounds alarming at first glance, this vulnerability does require a fair amount of interaction from a user for it to be successful - thus being another example of social engineering.

The Italian security researcher, Rosario Valotta, shared details of the attack in an interview with Reuters. The execution of this attack is done by convincing users to drag and drop an object across the screen to successfully obtain the cookie. Valotta managed to build a successful proof of concept of this flaw by coding a Facebook game which challenges users to undress a woman. According to Valotta: "I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server. And I've only got 150 friends."

Besides tricking users with sneaky puzzles, the vulnerability has little real world applications to have a greater impact. In a statement, Microsoft spokesperson Jerry Bryant states users should not be too concerned over the findings:

Given the level of required user interaction, this issue is not one we consider high risk. In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into.

We recommend all users, not just those on Internet Explorer, to be wary of suspicious-looking applications and game requests sent by your Facebook friends.

view.gif View: Original Article

Link to comment
Share on other sites

  • Replies 2
  • Views 1.3k
  • Created
  • Last Reply
nsane.forums

Microsoft today downplayed the threat posed by an unpatched vulnerability in all versions of Internet Explorer (IE) that an Italian researchers has shown can be exploited to hijack people's online identities. The bug, which has been only discussed and not disclosed in detail, was part of an attack technique described by Rosario Valotta, who dubbed the tactic "cookiejacking," a play on "clickjacking," an exploit method first revealed in 2008.

Valotta combined an unpatched bug, or "zero-day," in IE with a twist on the well-known clickjacking tactic to demonstrate how attackers can steal any cookie for any site from users duped into dragging and dropping an object on a malicious Web page.

He had demonstrated the attack at a pair of security conferences in Amsterdam and Zurich earlier this month, then published more information on his blog Monday.

By hijacking site cookies from IE7, IE8 and even IE9, attackers would be able to access victims' Web email, Facebook and Twitter accounts; or impersonate them on critical sites that encrypt traffic, like online banks and retail outlets.

Jeremiah Grossman, co-founder and CTO of WhiteHat Security, called Valotta's attack "clever" and said he could see hackers taking to it as a fallback to clickjacking , which he and Robert Hansen uncovered and publicized nearly two years ago. "In the event they can't find a cross-site scripting or clickjacking vulnerability, this would be a nice fallback plan for [attackers]," Grossman said.

But MIcrosoft didn't think cookiejacking was much to worry about.

"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC). "In order to possibly be impacted, a user must visit a malicious Web site and be convinced to click and drag items around the page in order for the attacker to target a specific cookie from a Web site that the user was previously logged into."

Grossman strongly disagreed.

"I think they're wrong," he said. "Like many esoteric attack techniques, until they've seen it used in the wild, they'll downplay it. It's actually a very simple attack, but it's not technically difficult, so their take is 'Nothing new to see here.'"

Valotta's proof-of-concept attack was relatively simple: He built a Facebook game that baited users with a simple puzzle of an attractive woman, and with it was able to collect dozens of cookies from unsuspecting Facebook users.

"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta told the Reuters news service this week.

The puzzle required users to drag and drop pieces on the Web page; unbeknownst to the victims, when they did so they actually dragged cookies to a specific spot on the screen where a clickjacking attack captured the data before sending it Valotta.

Valotta said that all versions of IE, including the just-released IE9, on all supported editions of Windows, including XP, Vista and Windows 7, were vulnerable to cookiejacking attacks.

Bryant added that the IE vulnerability was not serious enough to trigger an emergency, or "out-of-band" security update. "We are also not aware of it being used in any active way outside of the demo at [the Amsterdam] Hack in the Box [conference], he said.

view.gif View: Original Article

Link to comment
Share on other sites

nsane.forums

Dangers of IE 'Cookiejacking': What You Need to Know

A security researcher has discovered a means of hijacking sensitive information from cookies in Internet Explorer. The 'cookiejacking' technique could expose credentials from Facebook, Twitter, Gmaiil, or other online services, but Microsoft doesn't consider it a serious threat. So, is the sky falling, is the security researcher crying wolf, or is the real risk somewhere in between.

Security researcher Rosario Valotta recently demonstrated the 'cookiejacking' technique, and has details of the attack on his blog. The 'cookiejacking' threat, and underlying zero-day flaw affect all versions of Internet Explorer running on any version of Windows, so the pool of potential victims is significant.

'Cookiejacking' could let an attacker capture your Facebook credentials.What Is a Cookie?

A cookie is a small text file used by a Web browser or application to store information like site preferences, or user account credentials for site authentication.

What Is 'Cookiejacking'?

The technique exploits a flaw that bypasses the Security Zone protection in Internet Explorer to enable the attacker to capture the contents of cookies that should not be exposed.

What Is at Risk?

Most text files contain text that would of little value. But, if you are logged in to a site like Facebook, Twitter, or Gmail, cookies are used to store user account information needed to authenticate so you don't have to log in repeatedly. If an attacker can hijack these cookies, they could impersonate you or access sensitive data within the affected site or service.

Is It a Serious Threat?

The attack is not trivial to pull off. The actual 'cookiejacking' is just one piece of a larger puzzle that requires different attack techniques, and duping the user into becoming a willing participant.

Microsoft's Jerry Bryant downplayed the threat based on the complexity of the attack and the level of user interaction required for it to work. "In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."

While all of that is true, though, many users click the little checkbox that says "keep me logged in" so they don't have to enter user credentials every time they visit a site like Facebook, and it is actually fairly simple to lure users into clicking. Valotta created a Facebook game where users undress a naked woman by clicking on her clothing to remove it. Voila! A game like that would definitely get users clicking.

What Should You Do?

So, the sky is not falling. Successfully executing a 'cookiejacking' attack to extract sensitive credentials does take a fair amount of user interaction, and hopefully informed users know enough not to chase that rabbit down the hole.

At the same time, Valotta is not crying wolf. The 'cookiejacking' technique does work with a little cooperation from the user, and with more than 500 million users on Facebook playing all sorts of silly games, it is not a stretch to think that a significant number of users could be socially engineered to fall for the attack.

Microsoft does not consider the 'cookiejacking' issue to be a big enough threat to warrant an urgent, out-of-band security update for Internet Explorer, but it is allegedly working on a fix that will be available over the next few months. In the meantime, exercise some caution with a little extra common sense, and don't go clicking on things just because someone asks you to.

view.gif View: Original Article

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...