 |
VOOZH | about |
|
VOOZH | about |
A security researcher in Italy has discovered a flaw in Internet Explorer that he says could enable hackers to steal cookies from a PC and then log onto password-protected Web sites.
Referring to the exploit as "cookiejacking," Rosario Valotta claims that a zero-day vulnerability found in every version of Microsoft's IE under any version of Windows allows an attacker to hijack any cookie for any Web site.
Demonstrating his findings at security conferences this month in Switzerland and Amsterdam, Valotta acknowledges that to exploit the hole, the hacker must employ a bit of social engineering because the victim must drag and drop an object across the PC for the cookie to be stolen.
But Valotta said he was able to devise the right type of challenge on a Facebook page that required people to drag and drop an object by undressing an onscreen photo of a woman, noted Reuters, thus allowing him to capture their Facebook credentials via a cookie.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," he said, according to Reuters. "And I've only got 150 friends."
From its point of view, Microsoft doesn't see much real-world risk to cookiejacking.
"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," Microsoft spokesman Jerry Bryant said in a statement sent to CNET.
"In order to possibly be impacted a user must visit a malicious Web site, be convinced to click and drag items around the page and the attacker would need to target a cookie from the Web site that the user was already logged into," added Microsoft. "We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and e-mails, as well as adjusting Internet settings to higher security levels."
Updated 8:50am PT with Microsoft statement sent to CNET.
If you have a question or comment for Lance Whitney, you can submit it here. However, because our editors and writers receive hundreds of requests, we cannot tell you when you may receive a response.
Lance Whitney wears a few different technology hats--journalist, Web developer, and software trainer. He's a contributing editor for Microsoft TechNet Magazine and writes for other computer publications and Web sites. Lance is a member of the CNET Blog Network, and he is not an employee of CNET.
antgoo: I'm late to this party, but I can't stop watching the Sarah Palin/Paul Revere video. Priceless!
CNETNews: Microsoft raises concerns over sale of Nortel patents http://cnet.co/myfJiD
CNETNews: Report: Only half of Genius Bar visitors sync iPhone http://cnet.co/j23am7
crave: Report: Only half of Genius Bar visitors sync iPhone http://cnet.co/lx1AeH
cnetfalcone: Just noticed that a company called ChinaNet Online Holdings has been trading on the "CNET" ticker symbol for months. http://t.co/bK8jLeS
CNETNews: GoDaddy's Web site goes down http://cnet.co/j2rbca
declanm: At EPIC dinner in DC talking with former Miss USA Susie Castillo, who recorded hit YouTube video after she was, ah, intimately groped by TSA
CNETNews: Google to discuss new search breakthroughs http://cnet.co/jlNJXE
crave: 5 fantastic Google Docs tips http://cnet.co/mKjc6E
CNETNews: 5 fantastic Google Docs tips http://cnet.co/mOLAFL
cnet: Meet the man who wants an Apple retail union: http://cnet.co/kHQ4xh
crave: Chew on this: NutriSmart edible RFID tags http://cnet.co/jc26Cz
CNETNews: Skype to bring video chat to Comcast subs http://cnet.co/iu3hH9
The hacker group says it's planning an attack on the Federal Reserve tomorrow over monetary policies, most likely with a DDoS attack designed to shut down the agency's Web site.
road trip At Ramstein Air Base in Germany, aeromedical crews must care for soldiers coming in from U.S. wars abroad and prepare them for journeys home.
• Photos: Wounded head home
Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.
Add this feed to your online news reader
Business Tech
This Day in Tech: Facebook worth $100 billion; Unlocked iPhone 4 coming to U.S.?Too busy to keep up with the tech news? Here are some of the more interesting stories from CNET for Monday, June 13.
Gallery
👁 Sending America's war wounded home (photos)Apple Talk
Report: Only half of Genius Bar visitors sync iPhoneSyncing an iPhone with iTunes can be a real drag, which is why Apple has removed the process entirely as part of iOS 5. A new report suggests just half of Genius Bar visitors bothered to sync at all.
Beyond Binary
An inside look at the testing of Windows Phone 7In part three of a behind-the-scenes look at the development of Microsoft's new phone software, Ina Fried takes a look at Redmond's massive testing operation.
Video
👁 Hulk Hogan at E3 2011Microsoft
Microsoft raises concerns over sale of Nortel patentsSoftware giant says Google or any other bidder for the patents should be required to honor the existing licensing agreement with Microsoft.
Video
👁 New hardware captures E3 buzzDigital Media
Amazon cuts affiliate ties in more states over taxesAfter recently threatening to end its relationships with affiliates in more states over the issue of taxes, Amazon has severed ties with its affiliates in Connecticut and Arkansas.
Signal Strength
Skype to bring video chat to Comcast subscribersComcast and Skype are teaming up to offer Skype's video chat and other services to Comcast subscribers. The two companies expect to test the new service in the next few months.
Gallery
👁 Pop artists make BMWs their canvas (photos)Crave
iFixit CEO strips a Sony Bloggie 3D, bares its twin camerasEver wanted to see the inside of a minicamcorder without voiding a warranty? Well, here you go.
The Car Tech blog
One designer's look at the 2015 Toyota PriusWhat will the next generation of the Toyota Prius look like? Industrial designer Eric Leong gives us a glimpse.
