A sophisticated new hack has emerged as a zero-day exploit for all versions of Internet Explorer. Dubbed “cookiejacking,” it is a way for hackers to take control of users browser identities and thus be able to impersonate them on Facebook, Twitter or any encrypted bank or retail site.
A play off the now familiar “clickjacking” term, cookiejacking happens when a hacker gets a user to drag and drop an item on a website enabled for the hack. It was discovered by Italian security researcher Rosario Valotta, who presented his findings it at two European security conferences earlier this year before publishing them on his blog. Given the nature of the attack and specificity of the attack, is this something that Internet Explorer users really need to worry about?
Essentially, cookiejacking is enabled when a malicious website gets a users to load a cookie from an Internet zone to a personal zone (one that has access to your cookies). See below for a demonstration.
Valotta told Reuters that he published the game he used to demonstrate cookiejacking on Facebook and was able to get 80 cookies on his server from his 150 Facebook friends.
Microsoft told ComputerWorld that it does not see the attack as serious, given the specific requirements of the hack. Yet, with things such as Facebook games and applications, (think, “put the ball in the hoop to win a prize”), cookiejacking could become a very real threat when implemented into the wild of the Web.
“In order to possibly be impacted, a user must visit a malicious Web site and be convinced to click and drag items around the page in order for the attacker to target a specific cookie from a Web site that the user was previously logged into,” Jerry Bryant, a group manager with the Microsoft Security Response Center, told ComputerWorld.
Facebook has recently improved its security to limit the affect of clickjacking on the site, but cookiejacking could be a whole different story because of how users interact with a Web page. Internet Explorer 8 was initially loaded with native clickjacking protection.
Time will tell if the cookiejacking exploit becomes a ubiquitous threat on the Internet or if Microsoft steps up and closes the loophole on Internet Explorer 7, 8 and 9 before it can become a problem.