Cookiejacking – The Bane of IE Existence

Italian computer security researcher Rosario Valotta has recently identified what he terms cookiejacking in Internet Explorer. An  HTTP Cookie is a file that exists as a client side variable to store data from the browser. For instance, the login details to a website might be stored in a cookie to allow the website to be properly accessed. While browser settings can be used to largely reject cookies, doing so ultimately renders some websites unusable.

There are countless site hosting configurations that make use of cookies. In fact, it would probably be difficult to find a site hosting operation of any substance that doesn’t issue some sort of cookie. These sorts of files have truly become pervasive all over the web.

A computer hacker could conceivably exploit the way that Internet Explorer deals with cookies to access login credentials for websites that the user in question has accounts with. For instance, hackers could be able to steal Facebook login information for users whose systems have been compromised by the security hole. However, they would be required to jump through some hoops to get to such a point.

The hacker would need to encourage a user to drag an object and drop it to actually exploit the flaw. This isn’t necessarily normal behavior for many websites. Most users would usually associate drag and drop software with file management or regular applications. Microsoft’s own developers are not overly concerned with the security hole.

Even if a hacker were to be able to get a user to do something that they wouldn’t otherwise do, Microsoft has made the point that an attacker would actually need to specifically target a cookie sent from a website that a user had already submitted their login credentials for. This is a rather difficult scenario, considering that Microsoft believes that a user would have to be routed to a malicious website in the first place to truly exploit the hole.

There is another obstacle that has been brought up by other sources as well. Quite a few site hosting applications only give cookies a short amount of time to work before they expire. This could possibly mean that hijacked cookies may not have particularly long periods of time in which to do their dirty work.

However, Valotta isn’t convinced that users can’t be persuaded to actually do this. He produced a puzzle that essentially took the form of a mock social engineering attack. The attack was actually more successful than one might have otherwise assumed, and perhaps indicates that there is a very real possibility of such an attack actually being used in the wild.

In three days, he was able to hijack the cookies of 80 of his Facebook friends out of a total of 150. The puzzle itself took the form of a game to undress a photo of an attractive female. This allowed for an environment in which people actually did drag and drop the object needed to hijack a cookie. Moreover, the website itself was not a questionably malicious site. Numerous users know and trust the giant Facebook social networking platform, and such users would naturally already be logged into it.

Technically, however, the problem isn’t only confined to Internet Explorer. The majority of browser forks based in the Microsoft Windows platform have some sort of vulnerability. Therefore, malicious site hosting networks that serve malware in some form might be able to attack several pieces of software at once. If this were to be combined with a social engineering attack that is similar to the one that Valotta organized, there could be a significant amount of damage done.

Users should obviously follow the normal Internet browsing precautions that they already ought to be. As Microsoft had announced, people should be on the look out for malicious links. One shouldn’t click one that appears to be suspicious. If a game object seems odd or unsafe, it most likely is. After all, it was this kind of a scenario that was used to demonstrate the dangers of such an attack.

Naturally, a successful attack would most likely not affect all computers equally. For instance, computers running the operating system in a windows hosting capacity probably wouldn’t see a very high infection rate. These sorts of machines are usually not used for general browsing or social networking. Desktop PCs at home and mobile computers used for daily Facebook or Twitter updates are a different story.

Even if windows hosting and mission critical computers wouldn’t go down, the outcome of such attacks on private machines could be appalling. While the good news is indeed that hackers would have to jump through hoops to exploit the security hole, that doesn’t mean that users shouldn’t be diligent in protecting their computers anyways.

Deleting cookies and clearing the Internet cache regularly helps to take the edge off threats from cookiejacking. Moreover, it can increase performance. Users who want to try out new online applications or games should do a search to ensure their safety before loading them up. One might also wish to log out of websites once they are done working in them. Threats like that of cookiejacking can be largely mitigated with good habits.

About the Author:
Zac Kenni is a senior writer and a business developer from a trusted hosting reviews company., provider of good quality webhosting reviews and rates hosting services through a collaboration of thorough research, data analysis, performance and user feedback.