1. Forums /
  2. Tech Boards /
  3. Internet Talk /
  4. Warning To All IE Users !!!
Post: Warning To All IE Users !!!
05-28-2011, 12:36 AM #1
RKs Hoe #2's Avatar
RKs Hoe #2
Brute
(adsbygoogle = window.adsbygoogle || []).push({});
You must login or register to view this content.

IE Flaw Could Allow Hackers Access to your Facebook, Gmail, Twitter Accounts
Source : You must login or register to view this content. // By : Impact


Regardless of the version of Windows you use, if you also use any versions of Microsoft's Internet Explorer, then you might not want to do any drag-and-dropping within your IE browser, or you might be done in by "cookiejacking." It's not the CookieMonster or Firesheep, but there is a zero-day hole in IE that allows an attacker to steal any session cookies from any website.

At the Hack In A Box conference in Amsterdam, Italian security researcher Rosario Valotta demonstrated a cookiejacking attack. A session cookie holds information like your username and your password. Once those cookies are stolen, it allows an attacker to access wherever the victim is logged in like Gmail, Facebook, Twitter or other online accounts. His code to exploit the flaw explicitly targets cookies issued by Facebook, Twitter and Gmail, but Valotta says his technique can be used on any website. The attacker is only as limited as his imagination.

The vulnerability was found in IE security zone mechanisms which are supposed to keep Internet zones from mixing; it's meant to prevent sites in the "untrusted" Internet zone from embedding content to the "trusted" local zone. Yet Valotta discovered that cookies were exempt from the security mechanism and could be loaded into iFrames. The cookies were marked with invisible text and moved by the HTML5 drag and drop feature to the main browser window. "This breaks the Cross zone interaction policy as a Internet page is accessing a local file," Valotta wrote on tentacoloViola where he explained the entire exploit.

For his hijack cookie exploit to work, however, it requires some social engineering to get the victim to drag and drop an object in the browser. Although that might sound challenging, Valotta, with a proof-of-concept Facebook application, showed that it's not too difficult at all. He said he used an "advanced Clickjacking technique called 'content extraction' and some little JS tricks in order to lure my victim into drag&drop the cookie into an attacker controlled HTML element." He created a puzzle game (video) and shared it with his friends, secretly stealing the victim's Facebook session cookie. "I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server. And I've only got 150 friends," he told Reuters.

Microsoft is not too worried about this zero-day hole in all versions of IE. Microsoft spokesman Jerry Bryant said, "Given the level of required user interaction, this issue is not one we consider high risk. In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."

H Security noted, "The researcher notified the Microsoft Security Response Center of the original hole on 28 January 2011 and Microsoft solved the problem before the final version of IE9 was released on 18 March. However, only two weeks later, Valotta found a slightly modified approach that also allowed him to steal cookies from IE9 users, which he demonstrated (direct download PowerPoint file)" at Hack In the Box security conference.
(adsbygoogle = window.adsbygoogle || []).push({});
05-28-2011, 12:40 AM #2
Gary-'s Avatar
Gary-
Banned
Could I have some Reggae Reggae sauce with my copy and pasta
05-28-2011, 12:43 AM #3
RKs Hoe #2's Avatar
RKs Hoe #2
Brute
Originally posted by ImGary View Post
Could I have some Reggae Reggae sauce with my copy and pasta


there is a source :dumb:
05-28-2011, 12:52 AM #4
Gary-'s Avatar
Gary-
Banned
They see me trolling, they hating.

Also, just because there is a source, doesn't change the fact that you copy and pasted. I wasn't saying anything about there being no source anyway, just that it was copy and pasted.. :fa:

The following user groaned Gary- for this awful post:

XxprokillahxX
05-29-2011, 11:41 PM #5
zoobkillerninja's Avatar
zoobkillerninja
Keeper
people have been saying this for a long time know. but microsoft said they fixed it with IE8
06-01-2011, 08:15 AM #6
dukilupp's Avatar
dukilupp
Do a barrel roll!
Anything I can do to fix this?
06-01-2011, 12:12 PM #7
Millz's Avatar
Millz
Worth the Weight
Yup, install firefox or Google chrome. Problem solved. Happy
06-01-2011, 01:02 PM #8
XxprokillahxX's Avatar
XxprokillahxX
Banned
Originally posted by g
They see me trolling, they hating.

Also, just because there is a source, doesn't change the fact that you copy and pasted. I wasn't saying anything about there being no source anyway, just that it was copy and pasted.. :fa:


Copy and pasting is not illegal. Especially on a topic like this. Stop backseat moderating.

Copyright © 2026, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo