Rosario Valotta, a security researcher from Italy, has discovered a flaw in Internet Explorer that could enable hackers to steal cookies from a user’s PC and then use those cookies to log onto password-protected websites.
As cNet reports, A security researcher from Italy discovered this flaw in Internet Explorer that can enable hackers to steal your cookies. This exploit is being referred to as “cookiejacking” and apparently is possible in any version of Internet Explorer under any version of Windows.
Valotta claims that in order to exploit the vulnerability, the hacker must drag and drop an object across the PC for the cookie to be stolen. For example, a Facebook page that requires people to drag and drop an object by undressing an onscreen photo of a woman. This allows the hacker to capture the user’s Facebook credentials via a cookie.
“I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server. And I’ve only got 150 friends,” said Valotta.
“Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users. In order to possibly be impacted a user must visit a malicious Web site, be convinced to click and drag items around the page and the attacker would need to target a cookie from the Web site that the user was already logged into. We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and e-mails, as well as adjusting Internet settings to higher security levels,” said Microsoft spokesman Jerry Bryant.
Microsoft, however, doesn’t seem to see a real-world risk to “cookiejacking.”Further reading: Internet Explorer, Microsoft, Security