New IE bug may expose your cookies
By Gina on May 31, 2011 | Vulnerabilities, flaw in IE, IE vulnerability, IE flaw, Facebook account, Twitter, Gmail, malicious web page
Recently, security researcher has discovered unpatched flaw in IE that can be used for stealing Facebook accounts’ credentials and other web pages that are compromised by this attack.
Rosario Valotta, an independent researched demonstrated his “cookiejacking“ method which allowed to use vulnerability of all IE versions to steal session cookies in Facebook once user enters their password and user name. The cookie is able to perform as a digital credential which makes a possibility for user to enter specific account.
According to R.Valotta, this proof of concept is designed to target cookies issued by Facebook, Twitter and Gmail. However, this technique can be used virtually in any other website as well.
This attack is used in IE by using its vulnerability in a security zone which has a differentiation of trustworthy websites and compromised ones. Embedded application in a malicious web page can let attacker to use victim’s computer cookies while they are browsing.
For cybercriminals this can be done only by knowing where cookies are stored on a hard drive cookies are stored and finding out usernames and passwords of victims.
Pete Voss, a spokesman of Microsoft said at the statement: „We are aware of an issue that could enable theft of a user's cookies if they were convinced to visit a malicious website and once there, further convinced to click and drag items around on the page. Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users.“
More Vulnerabilities news
Shocking: 9 out of 10 websites still vulnerable to old attacks
Did you know that less than 10% of websites are safe from attacks that have struck the internet in 2009? Back then there was a breakout of Man-in-the-middle (MITH) attacks that included an injection of a malicious code in to the browser but even after 3 years these problems are very sensitive. SSL Pulse reportIt seems that companies live in a bubble as far as IT safety is concerned. A project called SSL Pulse that is monitoring 200. Read more.- Mozilla's decision: Firefox is blocked from running unpatched Java plugins
- Facebook still is a wonderland for cybercriminals
- Microsoft talks about dangerous flaw in a Windows
- 17 high-risk flaws are fixed in Chrome; Google pays $47,500 in bug bounties
- Google bypassed Safari's No Tracking settings
- Research reveals – 4/5 of security threats come from third-party software
- Google Wallet hack revealed
- Denial-of-service flaw is fixed by Oracle
- Firefox 9.0 and four critical flaws fixed
- Major flaw of Adobe Reader and Acrobat 9.x is patched
