05-29-2011, 01:29 PM
I don't use Internet Explorer any more and haven't for a long time actually. I use Firefox. But I wanted to pass this along to those that might.
C is for cookiejacking, and it's a brand-new flaw that's been discovered in any and all versions of Internet Explorer, running on any variant of Microsoft's Windows operating systems.
But before you sound the alarm and switch over to Chrome or Firefox, know that cookiejacking—discovered and named by Rosario Valotta–first requires a bit of user tomfoolery in order to work. Be lured in by the cookiejack, however, and you might have just given up your login credentials for a site like Twitter or Facebook to a random third party.
The technique requires users to drag and drop the contents of a given cookie into what Valotta calls "an attacker-controlled HTML element." But before an attacker even gets to that step, he or she needs to pull a bit more information from the unsuspecting user. First off, the targeted cookie has to be for a site that the user is actively logged into in order for the exploit to have any meaning. The attacker also has to know the target's Windows username as well as the operating system the user's running in order to pull up the cookie itself.
According to Valotta, these are both details that can be pulled from various browser exploits or simple Javascript detection scripts. As for the drag-and-drop part of the exploit, that's the process by which a user is tricked into copying the text of the cookie file and sending it off to the attacker.
To accomplish that, Valotta hides the cookie text in a layer underneath a simple picture—like a basketball, for example. Clicking on this "basketball" actually selects the text underneath it, and dragging it over to a picture of a "hoop" sends the contents of the cookie off to the attacker. Voila—there go your login credentials.
READ MORE HERE
C is for cookiejacking, and it's a brand-new flaw that's been discovered in any and all versions of Internet Explorer, running on any variant of Microsoft's Windows operating systems.
But before you sound the alarm and switch over to Chrome or Firefox, know that cookiejacking—discovered and named by Rosario Valotta–first requires a bit of user tomfoolery in order to work. Be lured in by the cookiejack, however, and you might have just given up your login credentials for a site like Twitter or Facebook to a random third party.
The technique requires users to drag and drop the contents of a given cookie into what Valotta calls "an attacker-controlled HTML element." But before an attacker even gets to that step, he or she needs to pull a bit more information from the unsuspecting user. First off, the targeted cookie has to be for a site that the user is actively logged into in order for the exploit to have any meaning. The attacker also has to know the target's Windows username as well as the operating system the user's running in order to pull up the cookie itself.
According to Valotta, these are both details that can be pulled from various browser exploits or simple Javascript detection scripts. As for the drag-and-drop part of the exploit, that's the process by which a user is tricked into copying the text of the cookie file and sending it off to the attacker.
To accomplish that, Valotta hides the cookie text in a layer underneath a simple picture—like a basketball, for example. Clicking on this "basketball" actually selects the text underneath it, and dragging it over to a picture of a "hoop" sends the contents of the cookie off to the attacker. Voila—there go your login credentials.
READ MORE HERE