May 30, 2011 at 16:57Microsoft does not consider cookiejacking a serious threat
At a recent hacker conference in Switzerland, Italian researcher Rosario Valotta demonstrated an interesting bug in IE 7/8/9, which allows you to copy cookies from a user's computer.
By analogy with clickjacking, the method works through a transparent iframe, where a list of files from the cookie folder is displayed. Above it is another element that the user drags onto another frame with minimal security settings (Security Zones in IE), actually voluntarily giving the files to the attacker. In his blog, Rosario Valotta posted a beautiful puzzle piece with a half-naked girl, where pieces of the mosaic should be removed to the side - and in a few days he received cookies from 80 of 150 of his friends on Facebook. Google's Valotta website has already been disabledfor breaking ToS.
More details about the vulnerability are said in his presentation at the hacker conference: see slides and videos .
A fragment with a demonstration of cookies directly here .
Back in January, Rosario Valletta sent information about this bug to the Microsoft Security Response Center, but still has not received a response. Moreover, a few months later the final release of IE9 was released with the same bug, although it was clear that they tried to close it, but not quite successfully.
On May 27, the Microsoft Security Response Center manager finally officially commented on the so-called 0-day exploit. In his opinion, since such a way of stealing cookies requires a user to enter a malicious website and perform certain actions, this attack is unlikely and Microsoft does not consider this vulnerability serious.
However, independent analysts are sure that Microsoft is wrong. According to them, cookie-jacking only at first glance seems a primitive and non-technical exploit, but in fact it is an effective technique that can become very popular among attackers if the hole is not closed.
By analogy with clickjacking, the method works through a transparent iframe, where a list of files from the cookie folder is displayed. Above it is another element that the user drags onto another frame with minimal security settings (Security Zones in IE), actually voluntarily giving the files to the attacker. In his blog, Rosario Valotta posted a beautiful puzzle piece with a half-naked girl, where pieces of the mosaic should be removed to the side - and in a few days he received cookies from 80 of 150 of his friends on Facebook. Google's Valotta website has already been disabledfor breaking ToS.
More details about the vulnerability are said in his presentation at the hacker conference: see slides and videos .
A fragment with a demonstration of cookies directly here .
Back in January, Rosario Valletta sent information about this bug to the Microsoft Security Response Center, but still has not received a response. Moreover, a few months later the final release of IE9 was released with the same bug, although it was clear that they tried to close it, but not quite successfully.
On May 27, the Microsoft Security Response Center manager finally officially commented on the so-called 0-day exploit. In his opinion, since such a way of stealing cookies requires a user to enter a malicious website and perform certain actions, this attack is unlikely and Microsoft does not consider this vulnerability serious.
However, independent analysts are sure that Microsoft is wrong. According to them, cookie-jacking only at first glance seems a primitive and non-technical exploit, but in fact it is an effective technique that can become very popular among attackers if the hole is not closed.