BOSTON - a computer security researcher has found a flaw in the Internet Explorer browser used extensively by Microsoft Corp. He said could allow hackers to steal credentials for access to FaceBook, Twitter and other Web sites.
He calls the technique "cookiejacking."
"Any Web site." No cookie. Limit is just your imagination, said Rosario Valotta, an independent Internet based Italy security researcher.
Hackers can exploit the fault to access a data file stored in the browser known as a "cookie", which holds login name and password for a web account, Valotta said by email
Once a hacker has the cookie, he or she can use to access the same site, said Valotta, which calls the technique "cookiejacking."
The vulnerability affects all versions of Internet Explorer, including 9 EI, on all versions of the Windows operating system.
To exploit the flaw, the attacker must persuade the victim to drag-and - move an object across the screen of the PC before the cookie can be twisted.
Which sounds as difficult a task, but Valotta said that it was able to relatively easily. He built a puzzle that he conditioned on Facebook, where users are challenged to "Strip" a photo of a seductive woman.
"I have published this game online on FaceBook and within three days, more than 80 cookies have been sent to my server," he said. "And I only 150 friends.
Microsoft has said there is little risk a hacker might succeed in a scam of cookiejacking of the real world.
"Given the level of required user interaction, this question do we consider high risk,", said the spokesman for Microsoft Jerry Bryant.
"To eventually undergo a user must visit a malicious Web site, be satisfied, click and drag items on the page, and the attacker would need to target a cookie from the Web site that the user is already logged"said Bryant. ".
No comments:
Post a Comment