IE Users: Are Your Cookies Being Hijacked?
Huh? Well, I know most of the readers of the Dr. Bill Blog are probably NOT Internet Explorer users, but there IS a “Zero-Day” hack that can hijack cookies if you DO use IE!
“A sophisticated new hack has emerged as a zero-day exploit for all versions of Internet Explorer. Dubbed ‘cookiejacking,’ it is a way for hackers to take control of users browser identities and thus be able to impersonate them on Facebook, Twitter or any encrypted bank or retail site.
A play off the now familiar ‘clickjacking’ term, cookiejacking happens when a hacker gets a user to drag and drop an item on a website enabled for the hack. It was discovered by Italian security researcher Rosario Valotta, who presented his findings it at two European security conferences earlier this year before publishing them on his blog. Given the nature of the attack and specificity of the attack, is this something that Internet Explorer users really need to worry about?
Essentially, cookiejacking is enabled when a malicious website gets a users to load a cookie from an Internet zone to a personal zone (one that has access to your cookies).
Valotta told Reuters that he published the game he used to demonstrate cookiejacking on Facebook and was able to get 80 cookies on his server from his 150 Facebook friends.
Microsoft told ComputerWorld that it does not see the attack as serious, given the specific requirements of the hack. Yet, with things such as Facebook games and applications, (think, ‘put the ball in the hoop to win a prize’), cookiejacking could become a very real threat when implemented into the wild of the Web.”