A computer security researcher has found a glitch in Microsoft Corp.'s Internet Explorer browser that he said could let hackers steal credentials to access users' Facebook and Twitter accounts.
All version of Internet Explorer store in a data file known as session cookies, the log-in name and account names, issued by Facebook and other sites once a user has entered a valid password and user name. Such file can be stolen via "cookiejacking", according to Rosario Valotta, an independent Internet security researcher based in Italy.
Mr. Valotta demonstrated cookiejacking last week at the Hack in the Box security conference in Amsterdam, Netherlands. In his presentation, he noted that using clickjacking, attacks have been widely adopted by attackers worldwide on popular websites in order to perform some drive to download attacks, click forging, message sending and so on. With cookiejacking, he said, an attack can be used in all Internet Explorer versions to steal session cookies of from whatever site a victim is visiting.
Mr. Valotta in his blog site explains that cookiejacking leverages on two main issues: (1) a 0-day vulnerability affecting every IE version on every Windows OS box, and (2) an advanced clickjacking approach. In his crystal clear demonstration, he said the hacker needs to obtain the Windows user name of the victim by sending a script to sniff data -- using IE, you can access remote SMB resources using UNC paths to reference them. Next, identifying the OS version the victim running, as different OSs store cookies in different folders, can be done by parsing the navigator.userAgent object. After the iframe source is properly set, the victim is then tricked to drag and drop the cookies using a drag feedback image as an illusion.
To access Mr. Valotta's presentation, CLICK
"Microsoft spokesman Pete Voss Said in a statement, "We are aware of an issue that could enable theft of a user's cookies if they were convinced to visit a malicious website and once there, further convinced to click and drag items around on the page. Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users."
Mr. Valotta is an IT security professional with over 10 years experience. He has been actively finding vulnerabilities and exploits since 2007.