Home Zero-Day “Cookiejacking” Hack Affects All IE Browsers, But Is It Serious?

Zero-Day “Cookiejacking” Hack Affects All IE Browsers, But Is It Serious?

A sophisticated new hack has emerged as a zero-day exploit for all versions of Internet Explorer. Dubbed “cookiejacking,” it is a way for hackers to take control of users browser identities and thus be able to impersonate them on Facebook, Twitter or any encrypted bank or retail site.

A play off the now familiar “clickjacking” term, cookiejacking happens when a hacker gets a user to drag and drop an item on a website enabled for the hack. It was discovered by Italian security researcher Rosario Valotta, who presented his findings it at two European security conferences earlier this year before publishing them on his blog. Given the nature of the attack and specificity of the attack, is this something that Internet Explorer users really need to worry about?

Essentially, cookiejacking is enabled when a malicious website gets a users to load a cookie from an Internet zone to a personal zone (one that has access to your cookies). See below for a demonstration.

Valotta told Reuters that he published the game he used to demonstrate cookiejacking on Facebook and was able to get 80 cookies on his server from his 150 Facebook friends.

Microsoft told ComputerWorld that it does not see the attack as serious, given the specific requirements of the hack. Yet, with things such as Facebook games and applications, (think, “put the ball in the hoop to win a prize”), cookiejacking could become a very real threat when implemented into the wild of the Web.

“In order to possibly be impacted, a user must visit a malicious Web site and be convinced to click and drag items around the page in order for the attacker to target a specific cookie from a Web site that the user was previously logged into,” Jerry Bryant, a group manager with the Microsoft Security Response Center, told ComputerWorld.

Facebook has recently improved its security to limit the affect of clickjacking on the site, but cookiejacking could be a whole different story because of how users interact with a Web page. Internet Explorer 8 was initially loaded with native clickjacking protection.

Time will tell if the cookiejacking exploit becomes a ubiquitous threat on the Internet or if Microsoft steps up and closes the loophole on Internet Explorer 7, 8 and 9 before it can become a problem.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.