A security expert has warned that IE has a flaw that allows attackers to steal cookies to access user accounts
Microsoft’s Internet Explorer web browser contains an unpatched flaw that allows attackers to steal login credentials to various websites via cookies, a security researcher has warned.
Attackers can exploit the Internet Explorer flaw to steal cookies from user computers and use the saved information to access user data. The researcher, Rosario Valotta, demonstrated the exploit at the Hack in the Box security conference in Amsterdam on 20 May.
Cookies are text files that web sites constantly save onto computers with information about user activity, such as login credentials, the contents of a shopping cart, or what sites the user has recently visited.
The attacker has to guess the users’ username for accounts, but can find passwords by using “an advanced clickjacking technique.” Clickjacking occurs when users are tricked into clicking on a button or link that looks innocent, but are crafted to steal information. The “cookiejacking” attack violates IE’s cross-zone interaction policy and exploits a zero-day vulnerability that is present in all versions of Internet Explorer and can be exploited on all Windows versions, according to a 23 May post on his Tentacolo Viola blog.
“Any cookie. Any website. Ouch,” Valotta wrote. The stolen cookies can be used to download malware onto user machines or login to user accounts. The proof of concept targeted Facebook, Twitter and Google Mail cookies, but Valotta said any website can be targeted.
He put the test case on Facebook and got 80 responses, Valotta said.
Internet Explorer uses “Security Zones” to group websites according the level of trust, and prevents content from different zones from interacting. Sites that users consider safe, which are assigned to a higher trust zone, shouldn’t be sharing information with less trusted sites. When a cookie file is loaded into the browser using an IFrame embedded on a malicious file, it violates the Cross Zone policy as “an Internet page is accessing a local file,” Valotta wrote.
“It is complicated for the attacker, but not for the victim,” Valotta told The Register.
The number of things the person needs to obtain before launching a successful attack makes it only a moderate risk for users. Considering that many malicious attacks involve tricking users into giving up user names and there are rogue portals that already check what operating system the victims are running before delivering a customised payload, neither of the “obstacles” will slow down any criminals interested in using this technique. Valotta also pointed out that Internet Explorer automatically returns user names as plaintext when getting images or other resources from the remote server. All an attacker needs is a script to “sniff” the username.
Microsoft is aware of the issue and will roll out a patch in an upcoming update, a Microsoft spokesperson told eWEEK.