IE “cookiejacking” security hole discovered, affecting all versions

A new Zero-Day exploit has been discovered to exist in every version of Internet Explorer, and, with the help of a little social engineering, it has the potential to get a hold of personal data by stealing a user’s cookies.

Italian security researcher Rosario Valotta discovered the vulnerability and recently demonstrated a successful exploit at Swiss Cyber Storm and Hack in the Box security conferences.

“Any website. Any cookie. Limit is just your imagination,” Valotta told Reuters about the exploit technique he refers to as “cookiejacking.”

The problem lies in the fact that IE cookies are exempt from a security zone mechanism in the browser that prevents webpages from being able to access locally stored content. To get a hold of a user’s data in this way, however, a cyber-criminal must find a way to get the person to drag and drop the cookie information into their main browser window.

While that sounds like a convoluted way to steal data, it’s not as difficult as one would think.

“I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server. And I’ve only got 150 friends,” Valotta says. A video of his “game,” which lures users to make the required drag and drop moves by promising users a picture of a naked woman for solving a simple puzzle, can be viewed on YouTube.

Microsoft, however, does not feel that the threat is very serious.

“Given the level of required user interaction, this issue is not one we consider high risk,” said Microsoft spokesperson Jerry Bryant. “In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into.”

It honestly sounds to me that Microsoft is underestimating the craftiness of cyber-criminals, while overestimating the common sense skills of IE users that would prevent them from falling victim to these socially-engineered exploits. Hopefully a patch will be issued soon to close this vulnerability.