"Cookiejacking" threatens Microsoft’s Internet Explorer
"Any website. Any cookie. Limit is just your imagination," Rosario Valotta, an independent Internet security researcher based in Italy told Reuters.
Valotta has dubbed this kind of hacking “Cookiejacking,” explaining that hackers can use the browser’s flaw to gain access to data files known as cookies that store login and password information for web based accounts.
A hacker who gains access to a user’s cookies can access their online profiles, email or a number of other sites which sites a user might use that runs cookies.
The flaw was found through the Windows operating system and in Internet Explorer, including the latest IE9 version.
Valotta explained that a hacker would simply have to create a program that tricks a user into dragging a specific file across the screen. He was able to do so easily. By creating a puzzle game on Facebook that challenged users to "undress" a photo of a woman Valotta quickly duped users into granting him access to their cookies.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends."
Microsoft has acknowledged the flaw but scoffed at the possibility anyone would be able to utilize it.
"Given the level of required user interaction, this issue is not one we consider high risk," Microsoft spokesman Jerry Bryant told Reuters. "In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."
Although Valotta was able to easily perform the task, Microsoft remains to think “cookiejacking” scams aren’t a real concern.