Researcher dealing with online security has developed a method that tenuously compromises digital credentials needed to access accounts on Facebook and other websites by utilizing a glitch in Microsoft's Internet Explorer (IE) browser, a report The Register said.
Referring to the exploit as cookiejacking, Rosario Valotta claims that a zero-day vulnerability found in every version of Microsoft's IE under any version of Windows allows an attacker to hijack any cookie for any Web site.
Demonstrating his findings at security conferences this month in Switzerland and Amsterdam, Valotta acknowledges that to exploit the hole, the hacker must employ a bit of social engineering because the victim must drag and drop an object across the PC for the cookie to be stolen.
But Valotta said he was able to devise the right type of challenge on a Facebook page that required people to drag and drop an object by undressing an onscreen photo of a woman, noted Reuters, thus allowing him to capture their Facebook credentials via a cookie.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," he said, according to Reuters. "And I've only got 150 friends."
From its point of view, Microsoft doesn't see much real-world risk to cookiejacking.
By hijacking site cookies from IE7, IE8 and even IE9, attackers would be able to access victims' Web email, Facebook and Twitter accounts; or impersonate them on critical sites that encrypt traffic, like online banks and retail outlets.
Jeremiah Grossman, founder and CTO of WhiteHat Security, called Valotta's attack "clever" and said he could see hackers taking to it as a fallback to clickjacking, which he and Robert Hansen uncovered and publicized nearly two years ago. "In the event they can't find a cross-site scripting or clickjacking vulnerability, this would be a nice fallback plan for [attackers]," Grossman said.
But MIcrosoft didn't think cookiejacking was much to worry about.
"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC). "In order to possibly be impacted, a user must visit a malicious Web site and be convinced to click and drag items around the page in order for the attacker to target a specific cookie from a Web site that the user was previously logged into.
Valotta said the process primarily targets cookies created by Facebook, Twitter and Google Mail, but the procedure can be used on almost any website and can affect all versions of Windows.
He added that by implanting a special tag, called iframe, the hacker can easily evade the cross zone connections and can force the browser to expose cookies stored on the user's computer. However, the attacker will have to know where the cookies are stored in the hard drive as it can be different in different versions of the Windows and the person’s username in Windows before he can implement the procedure.
Valotta said before he could carry on with his experiment he alerted the Microsoft security team in January and the company will be sending updates to fix the problem in June and August.
No comments:
Post a Comment