Internet Explorer Flaw Lets Hackers Into the Cookie Jar
May 27, 2011 5:00 AM PT
Italian security researcher Rosario Valotta has discovered a new way for hackers to steal their victims' online credentials -- stealing the session cookies from whatever site a victim is visiting.
The stolen cookies can then be used to get victims' computers to download malware, forge clicks or send messages, according to Valotta's website.
The attack, which Valotta dubbed "cookiejacking," works on all versions of Internet Explorer across all versions of the Windows operating system, the researcher contends.
"Microsoft is working to address the issue in an upcoming update," Jerry Bryant, a group manager at Microsoft Trustworthy Computing, told TechNewsWorld.
Apparently, there is no real reason for haste because this is a "moderate flaw," Oliver Lavery, director of security R&D at nCircle, told TechNewsWorld.
"Substantial user interaction is involved, reducing the likelihood of successful exploitation," Lavery stated.
"Many times a year we see vulnerabilities that allow malicious websites to execute code on a victim's computer with minimal interaction," Lavery explained. "This cookiejacking proof-of-concept is nowhere near that level of risk."
Reaching Into the Cookie Jar
The cookiejacking attack involves figuring out the victim's Windows username, knowing which version of Windows the victim is running and tricking the user into selecting the entire content of the stolen cookie.
Cookies are text files, so selecting their entire content is the same as selecting the entire content of a word or other text file -- you click the mouse button and drag the mouse down the length of the file.
How Cookiejacking Works
Cookiejacking violates IE's cross-zone interaction policy, leveraging a zero-day vulnerability affecting every version of IE on every version of Windows, Valotta said.
IE uses proprietary mechanisms called "Security Zones" that let users group websites according to the level of trust their sources have and prevent content from the different zones from interacting.
That's why when you use a wireless connection, your security software will ask you whether you want the site you're accessing to be kept in the Internet zone or allowed to access files on your computer.
However, hackers can create an IFrame element in a Web page that contains the contents of a file from a user's hard disk, which violates Internet Explorer's Cross Zone interaction policy, nCircle's Lavery pointed out.
Inline Frames, or IFrames, are essentially windows cut into your Web page that let visitors view another page on or off your website without having to reload the entire page.
You can use links in one IFrame to change links in another
"The problem is with Internet Explorer allowing a specific file (the cookies file) to be loaded into an IFrame in a page," Amit Klein, chief technology officer at Trusteer, told TechNewsWorld. "In theory no such file should be loaded into an IFrame."
Valotta on Cookiejacking
In order to steal a victim's cookies, the cookiejacker has to first figure out the victim's Windows username, because the cookies file system path depends on that username. Forcing the victim's browser to retrieve a resource will make it send the username in plain text, Valotta wrote.
The attacker also needs to find out which version of Windows the victim is running because different versions store the cookies in different folders. Parsing the "navigator.userAgent" object will yield the information, Valotta said.
Next, the cookiejacker has to get the victim to drag and drop the cookie. Valotta's solution was to create a jigsaw puzzle that purportedly would reveal a picture of a naked woman when it was solved. He put this on Facebook as a test case and got 80 responses.
In order to get the victim to select the entire content of the cookie, he displayed cookies in two nested IFrames. The first is short and scrollable and the second contains the cookie. When the victim clicks on the cookie, the first IFrame begins to scroll.
That scrolling occurs while the user is clicking the mouse button down, in effect getting the user to select the entire content of the cookie with one click.
Although Valotta contends the attack is easier to launch successfully than it sounds, Trusteer's Klein was skeptical.
"The tricky part is to convince people to click on and drag items across a page," Klein stated. "I'm not sure whether this is as straightforward in real-life scenarios as it's portrayed. That includes, for example, the need to find the victim's Windows username."
Further, Klein pointed out, Valotta has stated that the method may not work across proxies.
The Risks and Danger of Cookiejacking
The amount of user interaction makes it less likely that an attacker will be reliably successful in exploiting this vulnerability, Microsoft's Bryant said.
However, Microsoft is not downplaying the issue and "will take action against any attempts to target it," Bryant warned.
That brimstone-and-hellfire approach may be necessary.
"You never know whether a more sophisticated, less user-interactive-based attack may be developed, perhaps in combination with other vulnerabilities, to exploit this," Trusteer's Klein warned.
"Saying that this vulnerability is not high-risk doesn't mean it's irrelevant or no-risk," nCircle's Lavery pointed out.
"It's not a severe enough issue to warrant an emergency out-of-band patch release, and I'm confident Microsoft will release a patch for it at some point in the future," he added.